Cybersecurity researcher Taylor Monahan has revealed that IT workers linked to North Korea have been active within the decentralized finance space for years. She explained that these individuals contributed to several major protocols during the 2020 DeFi boom, often referred to as DeFi summer.
According to Monahan, the experience listed on their resumes was largely authentic, suggesting that these developers were genuinely involved in building blockchain projects rather than fabricating their credentials.
When asked to provide examples, she named platforms such as SushiSwap, THORChain, Yearn Finance, Harmony, Ankr, and Shiba Inu among others. She noted that some teams, including Yearn, stood out for their strict security practices, relying heavily on peer reviews and maintaining a cautious stance toward contributors. This approach likely reduced their exposure compared to other projects.
Monahan also warned that these operations have evolved over time. She suggested that such groups may now rely on individuals who are not based in North Korea to handle certain tasks, including face to face interactions. Based on her estimates, these networks may have extracted at least 6.7 billion dollars from the crypto ecosystem over the years.
North Korea remains a dominant force in crypto related cybercrime. A report from Chainalysis found that hackers linked to the country stole at least 2.02 billion dollars in digital assets in 2025 alone. This marked a 51 percent increase from the previous year and accounted for 76 percent of all service related breaches.
Although the number of attacks has declined, the scale of each incident has grown significantly. Chainalysis attributed this trend to the use of infiltrated IT workers who gain access to crypto companies such as exchanges and custodial platforms before major exploits occur.
After stealing funds, these groups typically move assets in smaller transactions, with more than 60 percent of transfers below 500,000 dollars. Their laundering strategies often involve cross chain tools, mixing services, and financial networks that operate in Chinese language environments.
The Security Alliance has also reported that these attackers use fake video calls on platforms like Zoom and Microsoft Teams to distribute malware. These attacks often begin through compromised Telegram accounts, where victims are invited to join what appears to be a legitimate meeting. During the call, pre recorded footage is used to build trust before targets are instructed to install a supposed update that actually gives attackers access to their devices. Once compromised, sensitive information is stolen and hijacked accounts are used to continue spreading the attack.
North Korea linked actors have also been tied to recent breaches such as the March 1 attack on Bitrefill. In that case, attackers reportedly gained entry through a compromised employee device and obtained credentials that allowed deeper access into internal systems. They then accessed parts of the database, drained funds from hot wallets, and exploited gift card supply channels. Investigators found that malware signatures, on chain activity, and reused infrastructure closely matched previous operations associated with the Lazarus Group and Bluenoroff.#crypto#cryptonews https://coinsignals.net https://t.me/coinsignalpublic
