A $280 million exploit against Drift Protocol last week wasn’t just a heist — it was the latest operation tied to a network of North Korean agents who have quietly worked inside some of crypto’s biggest projects for years.
Seven Years Of Cover, 40+ Platforms Breached
MetaMask developer and security researcher Taylor Monahan said Sunday that North Korean IT workers have been embedded inside more than 40 decentralized finance platforms, some of them household names in the crypto space.
Their infiltration goes back to what the industry calls “DeFi Summer” — roughly 2020, when decentralized finance exploded in popularity.
oh god uhhhh like sushi, thorchain, yam, pickle, harvest, reclaim, swing, paid, naos, shezmu, qrolli, saffron, sifu, napier, harmony, blueberry, stabble, onering, elemental, divvy, la token, impermax, kira, cook, fantom, ankr, gamerse, metaplay, spice, beanstalk, deltaprime,…
— Tay
(@tayvano_) April 5, 2026
Monahan said the “seven years of blockchain development experience” these workers list on their resumes isn’t fabricated. They actually built the protocols.
The Lazarus Group — the name given to North Korea’s state-sponsored cyber operation — has pulled an estimated $7 billion from the crypto industry since 2017.
Reportedly:
In 2026 Lazarus made 18 attacks on protocols in 3 months
Stolen funds are funding “North Korea’s Nuclear Weapons”
It’s the most successful venture fund built on hacks
Here is the complete attack timeline
https://t.co/GuNL4FTCqv pic.twitter.com/7YJzYrTEJj
— jussy (@jussy_world) April 5, 2026
That figure comes from analysts at creator network R3ACH. Major attacks attributed to the group include the $625 million Ronin Bridge breach in 2022, the $235 million WazirX hack in 2024, and the $1.4 billion Bybit theft in 2025.
Not All North Korean — Third-Party Proxies Now Involved
What sets the Drift case apart is who showed up in person. The protocol said that face-to-face meetings connected to the breach were not conducted by North Korean nationals.
Instead, reports indicate the group used third-party intermediaries — people with built-out fake identities, fabricated employment histories, and professional networks constructed to pass scrutiny.
Lazarus Group is the collective name for all DPRK state sponsored cyber actors.
The main issue is everyone groups them all together when the complexity of threats are different.
Threats via job postings, LinkedIn, email, Zoom, or interviews are basic and in no way… pic.twitter.com/NL8Jck5edN
— ZachXBT (@zachxbt) April 5, 2026
Sleuth: Companies That Still Fall For This Are Negligent
Blockchain investigator ZachXBT pushed back on how the industry discusses these threats, saying not all attack types carry the same weight.
Recruitment-based schemes — job postings, LinkedIn outreach, Zoom interviews — are, in his words, basic. They require no technical sophistication. What makes them effective is sheer persistence.
“If you or your team still falls for them in 2026, you’re very likely negligent,” ZachXBT wrote.
For companies looking to screen out bad actors, the US Office of Foreign Assets Control maintains a public database where crypto businesses can check counterparties against updated sanctions lists and watch for patterns tied to IT worker fraud.
Featured image from Unsplash, chart from TradingView
