Research highlights long-term insider risks in decentralised finance projects
Security concerns rise over insider threats in decentralised finance systems
Photo Credit: Unsplash/Shubham Dhage
Security researcher Taylor Manonan has claimed that North Korean IT workers have been infiltrating DeFi platforms for the past 7 years. This includes over 40 DeFi platforms, which she listed in a post on X. She further added that seven years of DeFi experience on their resumes is not a lie, cause they have built all the critical protocols that run on each of these DeFi platforms. This data revelation came hours after the Drift Protocol disclosed a $280 million (roughly Rs. 2,600 crore) exploit, which also had a DPRK group behind it.
Drift Protocol, which fell prey to this scam were completely oblivious. In a post on X, Drift Protocol explained that this was not a typical hack, but a months-long, highly coordinated social engineering operation. Bad actors posed as a legitimate trading firm, met the execs at Drift Protocol at a lot of crypto events. They even invested a million dollars in capital on the platform. Over time, they managed to trick team members into interacting with malicious code and apps, likely compromising their devices and gaining access to critical systems. This operation is now linked to a DPRK group called UNC4736.
This is not the first time that a DPRK group has been part of such a scam. As per the analysts at Creator Network R3ACH, the Lazarus group has stolen over $7 billion (roughly Rs. 65,000 crore) in crypto since 2017. These attacks include a $625 million (roughly Rs. 5,803 crore) scam of Ronin Bridge in 2022, the $235 million (roughly Rs. 2,182 crore) WazirX exploit in 2024, and $1.4 billion (roughly Rs. 13,000 crore) Bybit heist in 2025, which is also the biggest hack on their timeline.
Commenting on this issue, Tim Ahhl, the founder of the Titan Exchange, which is a Solana-based Dex aggregator, said that in a previous job, “we interviewed someone who turned out to be a Lazarus executive.” Ahhl further added that the candidate “did video calls and was extremely qualified”. The bad actor declined an in-person interview, and the execs at Titan Exchange later found his name in a Lazarus “info dump.”
Earlier this year, the US Treasury had sanctioned individuals and entities tied to a North Korea-linked IT worker scheme that allegedly used fake identities to secure remote tech jobs and funnel earnings through cryptocurrency. Officials say the network helped generate illicit revenue for the North Korean regime.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.