Taylor Monahan, co-founder of MyEtherWallet, said North Korean developers may have contributed to well-known protocols since the DeFi Summer period.

Allegations and recruitment case

The statement followed a report about a job candidate who passed interviews at a crypto company but was later identified as connected to the Lazarus Group.

According to Monahan, industry specialists believe such people can work in projects for years while blending in as ordinary developers within teams and organizations.

Methods observed in attacks

Security analysts attribute a range of techniques to Lazarus-linked operations, from credential theft to social engineering and complex intrusion campaigns.

• Phishing and credential harvesting used to obtain access to wallets and internal systems.
• Fake job offers and recruitment schemes aiming to place operatives or obtain sensitive information.
• Dedicated cyber units conducting sophisticated, multi-stage thefts and laundering of proceeds.

Scale and ongoing activity

Estimates indicate that structures associated with the Lazarus Group have stolen about $7 billion since 2017, and attacks reportedly continue across multiple vectors.

Monahan and cited experts emphasize that the presence of such operatives complicates attribution and increases operational risk for protocols, tooling providers and hiring teams alike.

Industry participants and security teams are advised to maintain rigorous onboarding checks and threat intelligence practices to reduce the risk posed by malicious insiders and deceptive recruitment.