Taylor Monahan said the North Korean developers were not faking their resumes, adding that they were building prominent decentralized finance (DeFi) platforms and later managed to rack up billions in cryptocurrency losses.
Cybersecurity researcher Taylor Monahan claimed that IT workers linked to North Korea have been operating in the decentralized financial ecosystem for years. Monahan stated that these actors contributed to several well-known protocols during the “DeFi Summer” era of 2020.
According to her latest tweet, the years of blockchain development experience listed on her resume were mostly real, demonstrating real technical contributions rather than fabricated credentials.
Years of DeFi hacking
When asked for examples, she said: He pointed out To several notable projects, including SushiSwap, THORChain, Yearn, Harmony, Ankr, and Shiba Inu, among many others. Monahan also revealed that some teams, like Yearn, stood out due to their strict approach to security, relying heavily on peer review and maintaining a high level of skepticism towards contributors.
She noted that this helped limit potential exposure compared to other projects. Additionally, Monahan warned that tactics have evolved, and these groups are now likely using non-North Korean individuals to carry out parts of their operations, including personal interactions. According to the security expert’s estimates, these entities may have collectively extracted at least $6.7 billion from the cryptocurrency space during this period.
North Korea has continued to dominate cryptocurrency-related cybercrime, emerging as the largest state-backed threat in the sector. According to a previous report by Chainasis, a DPRK hacker to steal At least $2.02 billion worth of digital assets in 2025 alone, representing a 51% increase from 2024 and representing 76% of all service-related breaches.
Although the number of attacks was smaller, their scope was much greater. Chainalysis attributed this scale to state-backed groups’ use of hacker IT workers who gained access to cryptocurrency companies, including exchanges and custodians, before major exploits occurred.
Once the money is stolen, these actors typically move assets in smaller transactions, with more than 60% of transfers worth less than $500,000. Their money laundering methods rely heavily on cross-chain tools, mixing services, and Chinese-language financial networks.
You may also like:
It was formerly the Security Alliance (SEAL). Found Cyberattacks using fake Zoom or Microsoft Teams calls were carried out by these groups to infect victims with malware. These operations are often initiated by compromised Telegram accounts, where attackers pose as known contacts and invite targets to join a video call.
During the meeting, pre-recorded videos are used to appear legitimate before victims are asked to install a supposed update, which gives the attackers access to their devices instead. Once inside, they steal sensitive data and reuse the hijacked accounts to spread the attack further.
Expand the attack surface
North Korea-linked hackers were as well suspected To be behind the Bitrefill breach on March 1st. The attackers reportedly gained entry through a compromised employee’s device and were able to extract credentials that allowed deeper access into internal systems.
From there, they moved into parts of the database and drained funds from hot wallets while also exploiting gift card supply flows. Indicators such as malware patterns, on-chain behavior, and reused infrastructure matched previous operations associated with the Lazarus and Bluenoroff groups.
Free Binance $600 (CryptoPotato Exclusive): Use this link To register a new account and get an exclusive welcome offer of $600 on Binance (Full details).
Limited offer for Bybit’s CryptoPotato readers: Use this link To register and open a free position worth $500 on any currency!
