ZachXBT says a Solana-based DeFi project hired a North Korean IT worker for years, raising fresh questions about DPRK infiltration in crypto teams. The on-chain investigator claims ElementalDeFi employed the worker under a fake identity, despite long-running warnings about North Korean “IT crews” using remote jobs to skirt sanctions.
What ZachXBT Alleges About ElementalDeFi
The claim surfaced after crypto outlets and social posts highlighted a new thread from ZachXBT tying ElementalDeFi to a DPRK-linked developer. While the full investigation has not yet been published in long-form, summaries say the worker helped maintain the project over “years,” not just for a short freelance contract.
ZachXBT has previously documented how North Korean IT teams use fake names, rented devices, and Upwork or LinkedIn accounts to win remote development roles at Web3 projects. In earlier work, he traced at least $16.5 million in crypto payments to such workers, arguing that teams often fail to run deep background checks on their remote hires.
DPRK IT Networks and DeFi Infiltration
Security researchers say this is not an isolated case. MetaMask developer Taylor Monahan and others have warned that North Korean-linked developers have been contributing code to DeFi protocols “all the way back to DeFi summer,” sometimes with seven years of apparent blockchain experience. She and others have listed major protocols that likely relied on DPRK-linked talent at some point, including well-known Ethereum and cross-chain projects.
U.S. authorities say these IT crews are part of a broader money-raising machine for North Korea’s government. A March 2026 report from Chainalysis noted that the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned several individuals and entities tied to IT worker fraud schemes that earned an estimated $800 million in 2024, often with crypto in the mix. Investigators also link DPRK teams to major hacks, including a recent $286 million exploit of Solana’s Drift Protocol, where behavior on-chain matched methods used in prior North Korea-attributed attacks.
Solana, the operating system for ElementalDeFi, has already had a number of high-profile security vulnerabilities and exploits in recent months. The disclosure that a DPRK IT employee apparently spent years inside one of its DeFi teams heightens concerns over insider danger, backdoors, and hidden vulnerabilities in smart contracts.
Public records currently show no proof that attackers have compromised ElementalDeFi or that this hiring has depleted user funds.
READ MORE: Top 4 Reasons the VOO ETF Stock Will Surge to a Record High Soon
