North Korean “Ghost” Developers Infiltrate DeFi: Multi‑Role Ops Across Multiple Projects

Event Recap: From Elemental to Stabble’s Chain Reaction

1.1 ZachXBT’s Investigation

On April 7, blockchain investigator ZachXBT published research showing that the Solana‑based infrastructure project Elemental DeFi employed a developer with North Korean government ties. The individual used the alias “Keisuke Watanabe” and operated multiple GitHub accounts (kasky53, keisukew53, kdevdivvy, 0xWoo) and associated email addresses, all linked to Solana and Ethereum wallets.

1.2 Stabble’s “Midnight Horror”

Hours after ZachXBT’s tweet, the Solana DEX Stabble (TVL ≈ $1.75 M) discovered that the same developer was hired a year earlier as its CTO. The team, having taken over the project only four weeks earlier, issued an emergency notice urging liquidity providers to withdraw funds. Within hours, Stabble’s TVL fell from about $1.75 M to under $0.663 M, a decline of more than 62%.

“EMERGENCY! All liquidity providers, withdraw immediately! Better safe than sorry.”

Stabble later clarified that no smart‑contract exploit occurred, no security breach was reported, and user funds remained safe.

Deep Analysis: North Korean IT Workers’ “Group‑Control” Model

2.1 One Person, Multiple Roles

A single North Korean developer can simultaneously work for 5‑10 DeFi projects, using AI‑generated avatars, forged LinkedIn and Upwork profiles, and fake social‑security numbers. Salaries are routed through laundering protocols or intermediaries to sanctioned addresses that ultimately flow back to North Korea.

2.2 Operational Tactics

Fake Identity Documents : forged government IDs and phone numbers.

Professional Packaging : polished LinkedIn and Upwork profiles.

Impersonation : some pose as employees of Polygon Labs, OpenSea, or Chainlink.

Remote Operation : VPNs mask geographic location; tools like AnyDesk enable control of development environments from elsewhere.

Social Integration : participants adopt DeFi slang to blend in with legitimate developers.

Why Were They Undetected? Three Core Tactics

3.1 Resume Packaging

Developers claim experience at major firms (OpenSea, Chainlink, Polygon Labs) and can answer technical interview questions convincingly. ZachXBT noted that over 30 fake identities were used in 2025 alone.

3.2 Outsourcing Cover

Present themselves as remote contractors.

Use VPNs to appear located in Japan or Western countries.

Operate via AnyDesk, keeping the true device hidden.

Avoid direct exposure of real identity, reducing detection risk.

3.3 Small‑Scale Infiltration + Long‑Term Persistence

Initial activity may not involve theft.

Over time they acquire code‑merge rights, multisig authorizations, and access to sensitive systems.

Elliptic, a UK blockchain analytics firm, estimates that North Korean‑linked actors have penetrated more than 40 DeFi platforms.

Industry Warning: Why DeFi Is So Fragile

4.1 Human Governance Weakness – “Code Is Law?”

Code is written by people. If the author embeds a backdoor, audits may miss the logical trap.

4.2 KYC Failure

Many DeFi projects hire solely based on GitHub contributions, ignoring real‑world identity verification. This opens a pathway for state‑backed actors.

Traditional KYC : ID verification, background checks, salary traceability.

DeFi Hiring : No ID checks, no background checks, payments via untraceable crypto.

Recommendations

Upgrade Background Checks : Rigorously verify core developers’ identities.

Isolate Code Permissions : Limit a single developer’s merge authority.

Enhance Multisig : Require multiple approvals for critical actions.

Continuous Monitoring : Regularly audit team member identities and access.

The Stabble incident is only the tip of the iceberg. From Elemental to Stabble, and from the $285 M Drift Protocol hack to the “one‑person‑multiple‑jobs” pattern, the DeFi sector faces a trust crisis driven by human actors.