Expert Says North Korean IT Workers Helped Build Top Protocols During DeFi Summer

North Korean developers weren’t faking resumes, said Taylor Monahan, who went on to add that they were actively building prominent DeFi platforms and later enabled billions in crypto losses.

Cybersecurity researcher Taylor Monahan has claimed that North Korea-linked IT workers have been operating within the decentralized finance ecosystem for years. Monahan stated that these actors have contributed to many well-known protocols during the “DeFi summer” era of 2020.

According to her latest tweet, the years of blockchain development experience listed on their resumes were often genuine, which was indicative of real technical contributions rather than fabricated credentials.

Years of DeFi Infiltration

When asked for examples, she pointed to several prominent projects, including SushiSwap, THORChain, Yearn, Harmony, Ankr, and Shiba Inu, among many others. Monahan also revealed that some teams, like Yearn, stood out for their strict approach to security, relying heavily on peer review and maintaining a high level of skepticism toward contributors.

This, she implied, helped limit potential exposure compared to other projects. Additionally, Monahan warned that the tactics have evolved, and these groups are now potentially using non-North Korean individuals to carry out parts of their operations, including in-person interactions. According to the security expert’s estimates, these entities may have collectively extracted at least $6.7 billion from the crypto space during this period.

North Korea has continued to dominate crypto-related cybercrime, emerging as the largest state-backed threat in the sector. According to an earlier report by Chainalysis, DPRK hackers stole at least $2.02 billion in digital assets in 2025 alone, which is a 51% increase from 2024 and accounts for 76% of all service-related breaches.

While there were fewer attacks, the scale was significantly larger. Chainalysis attributed this scale to the state-backed groups’ use of infiltrated IT workers who gain access to crypto firms, including exchanges and custodians, before major exploits take place.

Once funds are stolen, these actors typically move assets in smaller transactions, with more than 60% of transfers under $500,000. Their laundering methods rely heavily on cross-chain tools, mixing services, and Chinese-language financial networks.

You may also like:

Security Alliance (SEAL) had previously found that cyberattacks using fake Zoom or Microsoft Teams calls were carried out by these groups to infect victims with malware. These operations often begin through compromised Telegram accounts, where attackers pose as known contacts and invite targets to join a video call.

During the meeting, pre-recorded videos are used to appear legitimate before victims are told to install a supposed update, which instead grants attackers access to their devices. Once inside, these actors steal sensitive data and reuse hijacked accounts to spread the attack further.

Expanding Attack Surface

North Korea-linked hackers were also suspected to be behind the March 1 breach of Bitrefill. The attackers reportedly gained entry through a compromised employee device and managed to extract credentials that allowed deeper access into internal systems.

From there, they moved into parts of the database and drained funds from hot wallets while also exploiting gift card supply flows. Indicators such as malware patterns, on-chain behavior, and reused infrastructure matched previous operations tied to the Lazarus and Bluenoroff groups.