A crypto on-chain analyst claims DPRK IT workers helped build major DeFi protocols since DeFi Summer, naming over 40 projects in a viral X thread.
An on-chain analyst just cracked open something the crypto industry has spent years not wanting to look at. North Korean IT workers did not only steal from DeFi protocols. They helped build them.
Tay, a widely followed on-chain investigator on X, posted that DPRK-linked developers were embedded inside major crypto protocols going all the way back to DeFi Summer. The claim came in response to a separate account sharing a personal encounter with a suspected Lazarus operative during a job interview.
Tim, posting on X, said his previous employer came close to hiring someone who later turned up in a Lazarus information dump. The candidate passed technical screenings, joined video calls, and only declined when asked to travel for in-person interviews. Tim noted years later that Lazarus appears to now use non-North Korean nationals to complete in-person meetings, a shift that makes infiltration harder to catch.
That account is worth reading alongside what happened at Drift Protocol, where a state-linked operation spent six months embedded inside the team before the April 1st attack.
The Protocol List No One Expected
Tay’s response stopped the thread cold. Asked directly for examples on X, the analyst posted a list that ran well past 40 names. Sushi, Thorchain, Yam, Pickle, Harvest, Reclaim, Swing, Paid, Naos, Shezmu, Qrolli, Saffron, Sifu, Napier, Harmony, Blueberry, Stabble, Onering, Elemental, Divvy, La Token, Impermax, Kira, Cook, Fantom, Ankr, Gamerse, Metaplay, Spice, Beanstalk, DeltaPrime, Magiccraft, Hector, DeSpace, Depo, CreamFi, Shib, Kumainu, Starlink, Yearn, Floki. The list, Tay added on X, was just off the top of their head.
Fantom and Yearn on that list surprised even experienced observers. One user responded on X saying they had no idea those two had been touched.
Beanstalk drew its own side thread. One user asked whether the Beanstalk hack was DPRK-linked. Tay said yes to the workers, then clarified the actual exploit was not carried out by the same group. A different DPRK unit handled that.
Sifu came up separately. Tay said the connection ran through the Vision project and possibly one of the Wonderland-related builds.
Seven Years of Blockchain Experience. Not a Lie.
The detail that keeps resurfacing is how legitimate these workers looked. Tay’s original post put it plainly: the “7 years blockchain dev experience” on the resume was accurate. These were real developers. Skilled ones. They passed interviews, wrote working code, and stayed embedded long enough to matter.
A user asked how much DPRK has extracted from the industry through this approach. Tay’s figure on X was at least $6.7 billion.
Harmony came up in the thread with its own detail. One of the DPRK-linked workers embedded there later helped users who had wallets drained. The large Harmony hack was carried out by a separate DPRK cell entirely.
The Sushi link traces back to documented research. Tay pointed to a November 2025 post naming Eratos, also known as Anthony Keller and Daiki Saito, as a DPRK-linked individual found inside SushiSwap. That post referenced published findings at chollima-group.io.
The Shift No One Tracked in Real Time
What the thread reveals is a structural problem. OFAC’s recent action against North Korean IT worker networks targeted six individuals and two entities. The scheme generated close to $800 million in 2024 alone. That figure covers workers placing themselves inside companies. The protocol infiltration Tay is describing goes much further back and runs much deeper.
DPRK workers did not just extract wages. They were inside the architecture.
The thread is still active. Tay has been doing this work, in their own words, for way too long.
