DeFi’s fragmentation opens doors for state hackers

The DeFi space must unite to defend against state-sponsored hacker groups, such as North Korea’s Lazarus.

In recent months, North Korean hacker groups, in particular the Lazarus Group, have emerged as one of the most significant threats to the crypto industry. Multiple investigations into high-profile incidents, including the $1.5 bln Bybit hack in February 2025, have traced their origins to North Korea.

North Korea is among the most widely known state sponsors of cyber operations, but it is not the only one. Other governments have also been linked to cyber attacks targeting the crypto space. This growing threat highlights the need for a collective, coordinated response.

Countering state-sponsored activity is far more difficult than dealing with independent hackers or small teams. Building a stronger, industry-wide defense is essential to reducing the isolation and exposure of digital platforms. Without unified action, even platforms with advanced security measures remain vulnerable.

In this context, 1inch joined a coalition led by ZeroShadow and Security Alliance that aims to establish shared standards and voluntary safeguards across the industry before risks escalate further.

The coalition also includes SEAL, Bybit, WazirX, Sky Mavis, MetaMask, ENS, the Cayman Islands Bureau of Financial Investigation, Cryptoforensic Investigators and others. Together, this group will work on concrete next steps to strengthen trust, resilience, and accountability across the crypto and DeFi ecosystem.

There are three primary areas where DeFi can come together to address the challenge posed by state-sponsored hackers from North Korea and elsewhere.

Share information and intelligence

Standardizing real-time threat intelligence sharing is crucial, drawing on models such as the “DeFi War Room” used during the Bybit hack response. Another possible approach is an automated, cross-protocol system for distributing threat signals, supported by governance protocols.

Joint messaging is another important element. Industry initiatives could focus on educating users and projects about methods linked to DPRK actors, such as exploits of bridges, phishing campaigns, and fake dApps. Shared reports, wallet cluster data, and scam playbooks could form part of this collective effort.

Collaborate on open-source defense tools

The ecosystem would benefit from a common framework for wallet screening UX across DeFi interfaces, beyond protocol-level enforcement. Tools such as ZeroShadow, SEAL911, TRM, Web3 Antivirus, and Blockaid can support this.

Address risk logic for interface-level blocks and alerts could serve as the basis for a coalition-wide “Front-End Integrity Layer.”

A “Coalition Member” seal displayed in dApp interfaces could help establish baseline security standards and onboarding requirements.

API-standardized risk callouts could also prove effective. For example, 1inch already tags “malicious” and “restricted” tokens and wallets, and this framework could inform a shared registry API for coalition members.

Block stolen funds

When breaches occur, swift and coordinated action to block the flow of stolen funds and pursue recovery is critical.

Developing recovery coordination standards is a priority. As an initial step, discussions could cover voluntary transfers of possible fees from bad actors into recovery processes. At a later stage, DeFi-specific recovery protocols could be created to enhance collective defense.

In an environment where state-backed hackers - from Lazarus to their Chinese counterparts - are escalating their campaigns against DeFi platforms, the industry needs to quickly unite their security efforts to safeguard the ecosystem’s future.

Stay tuned for more risk management content!