North Korean DeFi infiltration warning after Lazarus-linked hacks and Drift exploit

Security researcher Taylor Monahan warns of long-running North Korean DeFi infiltration via human vectors. She says North Korean-linked IT workers have been involved with 40+ DeFi platforms over at least seven years, raising insider-risk concerns through hiring and social engineering. The latest focus is Drift Protocol’s ~$280M exploit. Drift says it has medium-high confidence that a North Korean state-affiliated group carried out the attack, citing infiltration and social-engineering patterns. Meetings reportedly involved third-party intermediaries with fully constructed identities, not DPRK nationals directly. Investigators also connect the broader Lazarus Group to DPRK-backed cybercrime, estimating about $7B stolen since 2017. Major incidents cited include the 2022 Ronin Bridge exploit ($625M), the 2024 WazirX hack ($235M), and the 2025 Bybit heist ($1.4B). Independent investigator ZachXBT adds that not all threats are highly sophisticated—some rely on relentless credential and interview-based infiltration rather than advanced technical tactics. For traders, the North Korean DeFi infiltration narrative can lift perceived protocol risk and increase headline-driven volatility around the affected ecosystems—especially DeFi governance, integrations, and bridge/liquidity events tied to DRIFT, RON, and WRX.