A top cybersecurity researcher has issued a stark warning: North Korean state-backed agents have been operating undetected within major cryptocurrency projects for nearly ten years. The revelation follows last week's $280 million exploit of Drift Protocol, now identified as the latest operation by this sophisticated, long-term network.

Seven Years Of Cover, 40+ Platforms Breached

MetaMask developer and security researcher Taylor Monahan said Sunday that North Korean IT workers have been embedded inside more than 40 decentralized finance platforms, some of them household names in the crypto space.

Their infiltration goes back to what the industry calls “DeFi Summer” — roughly 2020, when decentralized finance exploded in popularity.

oh god uhhhh like sushi, thorchain, yam, pickle, harvest, reclaim, swing, paid, naos, shezmu, qrolli, saffron, sifu, napier, harmony, blueberry, stabble, onering, elemental, divvy, la token, impermax, kira, cook, fantom, ankr, gamerse, metaplay, spice, beanstalk, deltaprime,…

— Tay(@tayvano_) April 5, 2026

Monahan said the “seven years of blockchain development experience” these workers list on their resumes isn’t fabricated. They actually built the protocols.

The Lazarus Group — the name given to North Korea’s state-sponsored cyber operation — has pulled an estimated $7 billion from the crypto industry since 2017.

Reportedly:

In 2026 Lazarus made 18 attacks on protocols in 3 months

Stolen funds are funding “North Korea’s Nuclear Weapons”

It’s the most successful venture fund built on hacks

Here is the complete attack timelinehttps://t.co/GuNL4FTCqv pic.twitter.com/7YJzYrTEJj

— jussy (@jussy_world) April 5, 2026

That figure comes from analysts at creator network R3ACH. Major attacks attributed to the group include the $625 million Ronin Bridge breach in 2022, the $235 million WazirX hack in 2024, and the $1.4 billion Bybit theft in 2025.

Not All North Korean — Third-Party Proxies Now Involved

What sets the Drift case apart is who showed up in person. The protocol said that face-to-face meetings connected to the breach were not conducted by North Korean nationals.

Instead, reports indicate the group used third-party intermediaries — people with built-out fake identities, fabricated employment histories, and professional networks constructed to pass scrutiny.

Lazarus Group is the collective name for all DPRK state sponsored cyber actors.

The main issue is everyone groups them all together when the complexity of threats are different.

Threats via job postings, LinkedIn, email, Zoom, or interviews are basic and in no way… pic.twitter.com/NL8Jck5edN

— ZachXBT (@zachxbt) April 5, 2026

Blockchain investigator ZachXBT pushed back on how the industry discusses these threats, saying not all attack types carry the same weight.

Recruitment-based schemes — job postings, LinkedIn outreach, Zoom interviews — are, in his words, basic. They require no technical sophistication. What makes them effective is sheer persistence.

“If you or your team still falls for them in 2026, you’re very likely negligent,” ZachXBT wrote.

For companies looking to screen out bad actors, the US Office of Foreign Assets Control maintains a public database where crypto businesses can check counterparties against updated sanctions lists and watch for patterns tied to IT worker fraud.

Featured image from Unsplash, chart from TradingView