Security researcher Taylor Manonan said North Korean IT workers infiltrated more than 40 DeFi platforms over the past seven years. The claim surfaced hours after Drift Protocol disclosed a $280 million exploit tied to a DPRK-linked operation. Drift said the incident grew through months of social engineering, not a typical hack. The platform linked the campaign to a group known as UNC4736.
Manonan wrote on X that seven years of DeFi experience on those resumes was not a lie. She said those workers built critical protocols used across the listed platforms. If those workers helped build core protocols, how wide does the exposure run across DeFi?
Drift said the attackers posed as a legitimate trading firm and met company executives at several crypto events. At the same time, they placed $1 million in capital on the platform. Then, the group slowly gained trust inside the organization. Drift said team members later interacted with malicious code and apps controlled by the attackers.
That step likely compromised devices and opened access to critical systems. Drift said the campaign did not resemble a standard exploit because it relied on a long, coordinated social engineering effort.
The platform later linked the operation to UNC4736. Drift also said the individuals who met contributors in person were not North Korean nationals. Instead, Drift said DPRK-linked actors often use third-party intermediaries for face-to-face engagement. That detail formed part of the platform’s public account of the incident.
Analysts at Creator Network R3ACH said the Lazarus group has stolen more than $7 billion in crypto since 2017. Their timeline included several of the sector’s largest breaches. The list included the $625 million Ronin Bridge attack in 2022. It also included the $235 million WazirX exploit in 2024 and the $1.4 billion Bybit heist in 2025.
R3ACH described the Bybit theft as the biggest hack on its timeline. As a result, the latest Drift case landed inside a longer pattern of DPRK-linked crypto attacks. Tim Ahhl, founder of Solana-based DEX aggregator Titan Exchange, shared a related hiring story. He said a previous employer interviewed a candidate who later appeared in a Lazarus info dump.
Ahhl said the applicant joined video calls and appeared extremely qualified. Still, the candidate declined an in-person interview. Later, the executives found his name in the Lazarus dump. Ahhl said the person turned out to be a Lazarus executive.
Earlier this year, the US Treasury sanctioned individuals and entities tied to a North Korea-linked IT worker scheme. Officials said the network used fake identities to win remote tech jobs. Authorities also said the scheme routed earnings through cryptocurrency. According to officials, that network generated illicit revenue for the North Korean regime.
Drift said incident responders at SEAL 911 traced on-chain fund flows and overlapping personas to DPRK-linked actors. At the same time, the platform said Mandiant had not confirmed attribution while forensic work continued. Drift credited security researcher @tayvano_ for helping identify the malicious actors. In a post on X, the researcher listed dozens of DeFi protocols and alleged that DPRK IT workers built them.
Pearl said security must move to pre-transaction validation at the blockchain level. He said teams need to simulate and verify transactions independently before execution. Lavid said teams now have to assume the endpoint is compromised. He pointed to IDEs, code repositories, mobile apps, and signer environments as common entry points.
He told Decrypt that vulnerable tools can manipulate anything shown to users, including transactions. He said that risk leaves teams unable to trust the interface, the device, or the signing flow.
Read More: Dogecoin or Rising DeFi Altcoins: Who Will Hit $1 First in 2026?
Claims that DPRK IT workers infiltrated more than 40 DeFi platforms have intensified concerns after Drift Protocol linked its $280 million exploit to a long-running social engineering operation. The case, along with past Lazarus-linked thefts, points to bigger risks across crypto hiring, development, and platform security.