Meet the Top 101 in Crypto
News
6 min read

Lazarus Group May Have Compromised Multiple Top DeFi Protocols—What We Know So Far

Published 06 April 2026
Prashant Jha
Authors
Edited by Insha Zia

Key Takeaways

  • Lazarus Group may have helped build many top DeFi protocols through long-term infiltration and code contributions.
  • The group executed a sophisticated $285 million Drift Protocol hack using months of social engineering and malware.
  • Social engineering remains Lazarus’ core tactic, seen in major hacks like Ronin and ongoing DeFi targeting.

A new wave of on-chain analysis is forcing the crypto industry to confront an uncomfortable possibility.

One of its most sophisticated adversaries may have been inside the system all along.

North Korea’s Lazarus Group—already linked to some of the largest crypto thefts on record—is now suspected of embedding operatives deep within DeFi projects, contributing code, building trust and, in some cases, shaping the very infrastructure they would later exploit.

Sponsored
Disclosure
Opened in 2018
Promotions
Deposit $100, Get an Extra $300 in GOLD!
Coins
Shiba Inu Bitcoin PAX Gold Ampleforth Ethereum +70
Promotions
Receive up to $100,000 worth of exclusive gifts for newcomers upon registration.
Coins
Bitcoin Ethereum Tether USD Coin Solana +76
Opened in 2017
Promotions
Experience a 1-minute swap on a non-custodial platform.
Coins
Bitcoin Ethereum Tether Build'N'Build USD Coin +217
Show More

A Long Game Hidden in Plain Sight

For years, Lazarus has been known for high-profile exploits.

What is emerging now is something more patient—and more difficult to detect.

Rather than relying solely on technical vulnerabilities, the group appears to have leaned heavily on social engineering and human access.

Reports suggest operatives used fake identities, freelance platforms and direct outreach to secure roles inside crypto projects.

Discord channels, developer communities and even industry conferences became entry points.

Once inside, the strategy changes. Instead of rushing to exploit, these actors build credibility.

They contribute code, participate in development cycles and gain familiarity with internal systems.

Over time, that access can translate into deep knowledge of protocol architecture—or, in worst cases, subtle vulnerabilities that remain dormant.

Blockchain researcher Tayvano has pointed to contributions linked to North Korean IT workers across a wide range of projects since DeFi’s rapid expansion in 2020.

This includes top platforms such as SushiSwap, THORChain, Harmony, Ankr and Yearn Finance.

If accurate, the implication is stark: parts of DeFi’s growth may have occurred alongside an invisible layer of state-sponsored participation.

When Open-Source Becomes an Attack Surface

DeFi’s openness has always been one of its defining strengths.

Anyone can contribute, audit or build. That same openness, however, creates exposure.

Early-stage protocols often lacked rigorous vetting for contributors, especially during the fast-moving “DeFi Summer” period.

That environment made it easier for well-prepared actors to blend in.

Reports suggest Lazarus-linked operatives didn’t rely on anonymity alone.

Some built credible resumes, maintained consistent online identities and even met collaborators in person.

Trust, once established, provided access to repositories, development discussions and internal workflows.

The result is not necessarily an immediate compromise—but a long-term foothold.

Security researchers increasingly warn that traditional audits may not be enough to detect risks introduced at the contributor level.

The threat is not just faulty code. It is trusted access.

The Drift Hack Shows How It Plays Out

The recent attack on Drift Protocol illustrates how that strategy can translate into real-world losses.

On April 1, attackers drained roughly $285 million from the Solana-based decentralized exchange.

Multiple blockchain intelligence firms, including Elliptic and TRM Labs, attributed the breach to North Korean actors.

Drift’s own post-mortem points to a months-long operation built around relationship-building.

The attackers posed as a legitimate trading firm, initiated contact at conferences and maintained ongoing collaboration with contributors.

To build trust, the fake firm deposited $1 million of its own capital into an ecosystem vault and participated in regular working sessions.

Once the relationship felt routine, attackers shared GitHub repositories containing code for review, a standard practice in collaborative development.

They exploited a VSCode and Cursor vulnerability, which the security community flagged in late 2025.

By the time malicious code entered the process, it did not appear unusual.

Opening a seemingly routine file triggered silent execution, allowing attackers to deploy malware, escalate access and ultimately take control of key systems.

The theft was executed quickly. This was no smash-and-grab phishing email. It was a professional and relied on exploiting human trust rather than bugs in code.

Drift warned that every DeFi protocol managing significant TVL was now a target.

Social Engineering Remains Lazarus’ Core Weapon

The Drift incident fits a broader pattern.

Lazarus has consistently relied on social engineering to bypass technical defenses.

The 2022 Ronin Network breach, which resulted in $625 million in losses, began with fake job offers targeting a developer.

An engineer at the company downloaded malware, which compromised validator nodes and enabled the massive theft.

The 2023 CoinsPaid attack followed a similar playbook, using a staged hiring process to gain access.

More recent campaigns have involved compromised accounts, fake video calls and malware disguised as meeting software.

Victims receive Calendly links for “catch-up” calls, followed by links to fake meeting software that deploys malware through AppleScript or similar scripts.

The malware extracts wallets, passwords, seed phrases, SSH keys, and Telegram session tokens.

Attackers then hijack the victim’s identity to target various networks. Lazarus has stolen over $300 million through this method alone.

In many cases, the initial point of entry looks routine: a job opportunity, a collaboration request or a familiar contact reaching out.

A Structural Risk for DeFi

Taken together, these developments point to a deeper issue than isolated hacks.

If state-linked actors have contributed to widely used protocols, the risk is not confined to a single platform.

It becomes systemic. Infrastructure such as cross-chain bridges, liquidity pools and token frameworks could carry unknown exposure.

That does not mean every project is compromised. But it does complicate the assumption that open collaboration automatically leads to secure outcomes.

The industry now faces a more complex threat model—one where adversaries operate not just as attackers, but as participants.

What Comes Next for DeFi

The response is already starting to shift.

Developers are placing greater emphasis on operational security: separating signing devices, tightening contributor vetting and introducing stricter review processes.

Some teams are exploring zero-trust models, where access is continuously verified rather than assumed.

For users, the changes may be less visible but equally important.

Multisignature wallets, time-lock mechanisms and careful verification of interactions are becoming standard recommendations rather than optional safeguards.

At a broader level, the conversation is expanding to include contributor transparency, threat intelligence sharing and, in some cases, regulatory scrutiny.

A Turning Point for Trust

DeFi was built on the idea that trust could be replaced by code.

The Lazarus revelations suggest that trust never disappeared—it just moved.

From protocols to contributors, from smart contracts to human relationships, the system still depends on assumptions about who is participating and why.

As the industry matures, those assumptions are being tested.

The question now is not whether DeFi can remain open. It is whether it can stay open while defending against actors who have already learned how to operate within it.

Prashant Jha

Prashant Jha is a seasoned crypto journalist based in Delhi, India, with a Bachelor’s Degree in Computer Science Engineering. Passionate about the evolving world of blockchain and cryptocurrencies, he has been a dedicated voice in the industry since 2018. Prashant’s expertise lies in regulatory reporting, where he unravels complex legal and financial developments with clarity and precision. Before joining CCN in 2024, he honed his craft at Cointelegraph, establishing himself as a trusted name in crypto journalism.

His coverage spans major industry events, including the high-profile collapses of FTX, Three Arrows Capital (3AC), and LUNA, offering readers insightful analyses of their regulatory and market implications. Prashant’s technical background enables him to bridge the gap between intricate blockchain technology and its real-world applications, making his work accessible to novices and experts.

Beyond his professional pursuits, Prashant is an avid music enthusiast, often exploring diverse genres to unwind. A sports lover, he has a particular passion for cricket and frequently engages in discussions about the game. His multifaceted interests and sharp journalistic instincts make him a valuable contributor to CCN, where he continues shaping the crypto landscape's narrative.

Related

Survey Icon
Help us improve
1 of 4
Is this your first time here?
What brought you here today?
What are you most interested in?
Would you be interested in:
Thank you icon
Thank you for your feedback!
DMCA.com Protection Status