Meet the Top 101 in Crypto
News
4 min read

North Korean Hackers May Be Inside DeFi—Can the ‘Kim Jong Un’ Test Stop the Next Major Hack?

Published 08 April 2026
Prashant Jha
Authors

Key Takeaways

  • Lazarus Group infiltrates DeFi through social engineering and fake developer hires, embedding in projects for years.
  • A simple “Kim Jong Un test” can expose suspected operatives during interviews.
  • North Korea-linked thefts have topped $7 billion after the latest Drift Protocol hack.

Decentralized finance (DeFi) promised borderless access and trustless systems. But it has also become a target for state-backed actors.

North Korea’s Lazarus Group has infiltrated multiple DeFi projects using social engineering and fake developer identities.

A simple interview tactic is now emerging as one way to detect potential operatives.

Sponsored
Disclosure
Opened in 2018
Promotions
Deposit $100, Get an Extra $300 in GOLD!
Coins
Shiba Inu Bitcoin PAX Gold Ampleforth Ethereum +70
Promotions
Receive up to $100,000 worth of exclusive gifts for newcomers upon registration.
Coins
Bitcoin Ethereum Tether USD Coin Solana +76
Opened in 2017
Promotions
Experience a 1-minute swap on a non-custodial platform.
Coins
Bitcoin Ethereum Tether Build'N'Build USD Coin +217
Show More

The “Kim Jong Un Test”

Following the Drift incident, some teams have adopted an unconventional screening method known as the “Kim Jong Un test.”

During interviews, candidates may be asked to criticize North Korea’s leader.

Recruiters report that suspected operatives often hesitate, deflect, or end the conversation, while others respond normally.

A widely shared video in April 2026 showed a candidate abruptly disconnecting during such a prompt, fueling discussion within crypto hiring circles.

Some developers say they use this method alongside standard checks such as sanctions screening and background verification.

MetaMask security researcher Taylor Monahan has also warned that North Korean IT workers have embedded themselves in dozens of DeFi projects over several years, in some cases contributing legitimate code.

Projects such as SushiSwap, THORChain, Yearn Finance and Fantom have reportedly had contributors later linked to DPRK networks, though attribution varies by case.

Lazarus Group infiltration.
DPRK-backed hackers have infiltrated nearly 40 DeFi projects.

Lazarus Infiltration

The Lazarus Group, also tracked as UNC4736, AppleJeus, or Citrine Sleet, operates as North Korea’s primary revenue-generating cyber unit. 

Rather than relying solely on code exploits, the group excels at human manipulation.

Operatives pose as skilled developers or IT freelancers, often using stolen identities. 

They apply for remote roles at crypto firms, attend industry conferences, and build rapport over months via Telegram or in-person meetings.

Once inside, they can gain access to repositories, internal systems or governance processes.

This access may allow them to introduce vulnerabilities, deploy malware or exploit operational weaknesses.

In the Drift case, attackers reportedly spent months building relationships before introducing compromised code.

The exploit targeted developer tools and resulted in the theft of sensitive credentials and access keys.

Repeated Patterns Across DeFi

The Drift incident reflects a broader pattern seen across the industry.

Previous cases include the $625 million Ronin Network breach in 2022 and other exploits tied to compromised access rather than direct smart-contract flaws.

Solana-based protocols and fast-growing DeFi ecosystems have become frequent targets due to their scale and activity levels.

The Drift exploit, which resulted in losses of about $285 million, was attributed by blockchain analytics firms including Elliptic and TRM Labs to North Korean-linked actors.

Lazarus Group Stole Billions Over a Decade

The financial impact from these sophisticated state-sponsored actors is enormous.

Chainalysis reported that North Korean hackers stole a record $2.02 billion in cryptocurrency throughout 2025 alone, a 51% increase from the prior year, bringing their all-time total to $6.75 billion.

In 2026, the pace continues. The Drift heist alone ranks among the largest single DeFi exploits on record, and analysts estimate that over $300 million was stolen in the first quarter. 

These funds are laundered through mixers, DeFi swaps, and layered wallets before supporting the regime’s nuclear and missile programs, according to U.S. Treasury and UN assessments.

Each successful infiltration turns DeFi’s open, permissionless nature into a direct pipeline for state revenue.

Unlike traditional cybercrime, these “bounties” are not one-off; they fund long-term geopolitical goals.

The Drift hack and revelations about seven years of infiltration have shaken the DeFi community.

Protocols are tightening hiring, video interviews, code audits, and yes, the Kim Jong Un test.

Developers are now treating every collaboration, GitHub repo, and conference chat as a potential vector.

North Korean hackers have proven they don’t need zero-days when trust is the weakest link.

As DeFi grows, so does the incentive for state actors to embed deeper.

The next billion-dollar heist may already be in motion, unless teams start asking the right questions before it’s too late.

Prashant Jha

Prashant Jha is a seasoned crypto journalist based in Delhi, India, with a Bachelor’s Degree in Computer Science Engineering. Passionate about the evolving world of blockchain and cryptocurrencies, he has been a dedicated voice in the industry since 2018. Prashant’s expertise lies in regulatory reporting, where he unravels complex legal and financial developments with clarity and precision. Before joining CCN in 2024, he honed his craft at Cointelegraph, establishing himself as a trusted name in crypto journalism.

His coverage spans major industry events, including the high-profile collapses of FTX, Three Arrows Capital (3AC), and LUNA, offering readers insightful analyses of their regulatory and market implications. Prashant’s technical background enables him to bridge the gap between intricate blockchain technology and its real-world applications, making his work accessible to novices and experts.

Beyond his professional pursuits, Prashant is an avid music enthusiast, often exploring diverse genres to unwind. A sports lover, he has a particular passion for cricket and frequently engages in discussions about the game. His multifaceted interests and sharp journalistic instincts make him a valuable contributor to CCN, where he continues shaping the crypto landscape's narrative.

Related

Survey Icon
Help us improve
1 of 4
Is this your first time here?
What brought you here today?
What are you most interested in?
Would you be interested in:
Thank you icon
Thank you for your feedback!
DMCA.com Protection Status