Unexpected Collaborations: North Korean IT Workers in DeFi Projects

Recent claims from a respected on-chain analyst have unveiled startling revelations about North Korean IT professionals allegedly being involved in the development of more than 40 major decentralized finance (DeFi) projects since 2020. This scenario paints a complex picture of state-backed entities skillfully embedding themselves within the burgeoning crypto industry.

How deep does the infiltration go?

The revelations, shared by an analyst known as Tay, suggest that developers linked to North Korea, or the Democratic People’s Republic of Korea (DPRK), have not only exploited vulnerabilities in DeFi systems but have also played pivotal roles in building key project infrastructures. This contrasts previous assumptions focusing solely on their hacking endeavors.

The discussion gained momentum following an account of a job interview with a candidate later associated with the infamous Lazarus Group. Despite showcasing impressive technical expertise and undergoing typical recruitment protocols, the individual withdrew from subsequent interviews that required travel. This incident has raised alarms about the sophisticated tactics employed by North Korean operatives to infiltrate legitimate DeFi initiatives.

One highlighted case is Drift Protocol, which focuses on derivatives. Here, a hidden state-affiliated contributor was uncovered shortly after a significant protocol breach in April 2024, eerily exemplifying the stealth mode in which these actors operate.

What kind of roles are they assuming?

Tay outlined a list of DeFi projects, including SushiSwap, Thorchain, Yearn Finance, Fantom, and Harmony, allegedly touched by DPRK’s covert talent. These workers, described as highly skilled, posed as seasoned professionals with substantial blockchain expertise. They seamlessly blended into development teams, passing rigorous technical assessments.

Tay estimated that these engagements have depleted approximately $6.7 billion from the crypto sector. His analysis disclosed how such individuals, operating from within respected projects, have covertly drained billions.

Examples abound: An embedded developer at Harmony assisted with protocol security before a distinct group executed a breach; meanwhile, Beanstalk saw similar implications through different exploits.

In detailed assessments, Tay brought up a developer linked to SushiSwap—previously flagged in reports for North Korea relations—demonstrating that the infiltration network is wide-reaching and complex.

• More than 40 DeFi protocols reportedly involved.
• Contribution by DPRK workers characterized by advanced technical expertise.
• Estimated financial loss from their activities exceeds $6.7 billion.

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has increased scrutiny, targeting numerous North Korean entities this year. Despite recent efforts, Tay warns that infiltration has been prevalent since the DeFi sector’s inception, revealing hidden vulnerabilities.

“This highlights the ongoing challenge of identifying and mitigating state-sponsored threats,” Tay stated, urging industry-wide vigilance.