According to cybersecurity researcher Taylor Monahan, workers connected to North Korea have been secretly involved in the world of decentralized finance (DeFi) for several years. Monahan says these individuals helped build some popular DeFi projects during the rapid growth period of 2020, often called “DeFi summer.”
Her recent tweet suggests that the blockchain experience people claimed on their resumes was often legitimate, showing they actually had the skills they presented, not just made them up.
Years of DeFi Infiltration
She highlighted several well-known projects as examples, such as SushiSwap, THORChain, Yearn, Harmony, Ankr, and Shiba Inu. Monahan also noted that some teams, particularly Yearn, prioritized security by thoroughly reviewing code and carefully vetting all contributions.
She suggested this approach reduced risk compared to other efforts. Monahan also cautioned that these groups are adapting, and may now be using people who aren’t from North Korea to handle some of their work, even meeting with others in person. The security expert believes these groups have stolen at least $6.7 billion from the cryptocurrency world during this time.
North Korea remains the biggest source of cybercrime involving cryptocurrency. A recent report shows that hackers linked to the country stole at least $2.02 billion in crypto in 2025 – a 51% jump from the previous year. This activity accounted for a staggering 76% of all crypto-related breaches.
Although the number of cyberattacks decreased, the overall damage was much greater. According to Chainalysis, this is because state-sponsored hackers are increasingly using insiders – IT workers they’ve placed within crypto companies like exchanges – to gain access before launching large-scale attacks.
After stealing money, criminals usually break up the funds into smaller amounts – over 60% of their transfers are less than $500,000. They commonly use tools that move money between different blockchains, services that obscure the origin of the funds, and financial networks based in Chinese-speaking regions to hide the stolen money.
Security researchers at SEAL discovered that certain cyberattack groups were using fake video calls – pretending to be Zoom or Microsoft Teams meetings – to trick people into downloading harmful software. These attacks usually start with compromised Telegram accounts, where the attackers pretend to be someone the victim knows and invite them to a video call.
The scam starts with a seemingly official presentation, often using pre-recorded videos to build trust. Victims are then tricked into installing a fake update that actually lets criminals access their devices. Once they’re in, the attackers steal personal information and use compromised accounts to spread the scam to others.
Expanding Attack Surface
Hackers believed to be connected to North Korea are also thought to have been responsible for the security breach at Bitrefill in March. They apparently accessed the system by using an employee’s compromised device and stole login information, which allowed them to get further into the company’s internal network.
The attackers then accessed the database and stole money from readily available digital wallets. They also manipulated the system used to manage gift cards. Evidence like the types of malicious software used, how they moved funds on the blockchain, and the tools they used closely resembled tactics employed by the Lazarus and Bluenoroff hacking groups in the past.
Read More
- Brent Oil Forecast
- Silver Rate Forecast
- Gold Rate Forecast
- USD COP PREDICTION
- USD RUB PREDICTION
- EUR PLN PREDICTION
- EUR THB PREDICTION
- EUR AED PREDICTION
- Stablecoins: The Sky Isn’t Falling, But Banks Might Be Whining
- STX PREDICTION. STX cryptocurrency
2026-04-06 22:48