A prominent on-chain analyst has claimed that IT workers linked to North Korea were involved in building over 40 major decentralized finance (DeFi) protocols since the sector’s rapid expansion in 2020, raising new concerns about the reach and sophistication of state-sponsored actors in the crypto industry.
The depth of infiltration in DeFi
The latest controversy centers around the analyst known as Tay, who outlined how developers allegedly connected to North Korea, also called the Democratic People’s Republic of Korea (DPRK), became embedded in the teams behind several recognized DeFi projects. Tay reported that these individuals were not limited to conducting attacks or stealing from protocols but actively participated in building the underlying infrastructure.
This information was shared during an ongoing discussion on the social platform X, sparked by a separate account recalling a job interview experience with an individual later linked to the Lazarus Group, the well-known hacking collective tied to DPRK. According to the account, the candidate demonstrated convincing technical skills, passed standard screenings, and participated in video calls before declining further interviews that required travel.
Drift Protocol, a DeFi project focused on derivatives trading, was cited as a recent example where a state-affiliated agent was discovered to have worked within the team for six months before a significant exploit occurred in April 2024. This case mirrors concerns that advanced actors have found new methods to remain undetected within crypto startups.
Tay’s response went beyond isolated anecdotes, sharing a list of over 40 projects where DPRK IT workers reportedly contributed. Well-known protocols like SushiSwap, Thorchain, Yearn Finance, Fantom, and Harmony appeared among the names, surprising many users, including experienced market observers who were unaware of such connections.
Skilled developers embedded in key projects
According to Tay, the backgrounds of these workers often appeared solid, with resumes listing extensive experience in blockchain development. In Tay’s words, the claims of “seven years of blockchain development” were not fabricated. These developers were described as highly competent, capable of passing technical interviews and writing meaningful code.
When asked about financial damages associated with these activities, Tay estimated that at least $6.7 billion had been siphoned from the crypto industry through efforts involving DPRK-linked individuals operating inside legitimate organizations and projects.
Several projects listed by Tay were discussed in more detail. For instance, Harmony was mentioned in connection with an embedded developer who later assisted users whose wallets had been compromised, while a separate hacking group perpetrated a major incident involving the protocol. Beanstalk, another DeFi protocol, was highlighted in relation to worker involvement distinct from those who executed actual exploits.
In SushiSwap’s case, Tay referenced prior research identifying a developer known as Eratos, also referred to as Anthony Keller or Daiki Saito, highlighting past reporting that had already flagged this individual’s links to North Korea. The documentation for this claim was attributed to the website chollima-group.io, which researches DPRK cyber operations.
Industry response and broader implications
While regulatory authorities have recently intensified efforts to disrupt North Korean IT worker networks, with the U.S. Treasury’s Office of Foreign Assets Control (OFAC) targeting several individuals and entities in 2024, Tay’s analysis implies that infiltration has been an ongoing issue since the early days of DeFi and involves more organizations than previously recognized.
OFAC’s inquiries revealed that networks of DPRK workers operating under false identities generated hundreds of millions of dollars by securing jobs at crypto firms worldwide. However, Tay’s disclosures point to a deeper risk: state-linked actors not only seeking employment but also shaping the development and security of widely used protocols.
Tay, known within the crypto community as a veteran in on-chain analysis and threat research, continues to update the thread and expand on these findings. The allegations have since sparked renewed debate about the ability of emerging crypto projects to vet contributors and shield themselves from sophisticated long-term infiltration strategies.
