North Korean IT workers have infiltrated cryptocurrency companies and decentralised finance (DeFi) projects for at least seven years, Cointelegraph reported on April 6.

MetaMask developer and security researcher Taylor Monahan (테일러 모나한) claimed North Korean IT personnel worked at more than 40 DeFi platforms, including well-known projects.

He added that the "seven years of blockchain development experience" listed on their resumes was actual experience.

The Lazarus Group (라자루스 그룹), a North Korea-linked hacking organisation, is estimated to have stolen about $7 billion worth of cryptocurrency since 2017. It has been linked to some of the industry's biggest hacks, including the $625 million Ronin Bridge (로닌 브릿지) exploit in 2022, the $235 million WazirX (와지르엑스) hack in 2024 and the $1.4 billion theft from Bybit (바이비트) in 2025.

Tim Ahhl (팀 알), founder of Solana (솔라나)-based decentralised exchange aggregation platform Titan Exchange (타이탄 익스체인지), disclosed that he had interviewed an applicant at a previous workplace who was later identified as a Lazarus operative. The applicant did a video interview and was highly skilled, but refused an in-person interview. He later found the applicant's name on a Lazarus information leak list.

Monahan's remarks came shortly after Drift Protocol (드리프트 프로토콜) recently pointed to a North Korea-linked group as being behind a $280 million exploit. Ahhl said, "Lazarus is now hiring non-North Koreans and using them for in-person contact."