Crypto protocol Stabble urged users to withdraw funds on 7 Apr after identifying a developer associated with the project linked to a North Korean IT worker network.
Stabble Calls for Withdrawals over Developer Tied to North Korean Network
7 April 2026 - 22:15 CEST
By Ana Pereira
The warning followed posts by a blockchain investigation account, ZachXBT. Accorindg to ZachXBT, an individual using the name “Keisuke Watanabe” had operated as a developer while being tied to a network of North Korean operatives working in the crypto sector under false identities. ZachXBT cited research from the Chollima Group, which has documented efforts by North Korean IT workers to infiltrate crypto companies to generate revenue or gain access to internal systems.
Inside risk surfaces
Stabble is a decentralized finance protocol on Solana that offers liquidity pools for token swaps and yield generation. The project operator said liquidity providers should “temporarily withdraw” funds as a precaution, adding that a new team has taken over and that external audits are being arranged. The protocol had roughly $1.7mn in liquidity locked on 7 Apr.
The individual had also previously worked with Elemental, a firm that develops blockchain infrastructure and tools used by decentralized applications. An Elemental representative said on X that the company later determined the former employee had misrepresented their identity.
It is unclear what roles Watanabe allegedly held at either protocol, though Chollima's independent investigation indicates he may have served as CTO at a crypto project.
A familiar playbook
The developments come days after Drift Protocol, a Solana-based perpetual futures exchange, said North Korea-linked scammers likely orchestrated a $280mn exploit after spending months cultivating trust with employees through in-person meetings at crypto conferences and follow-up calls before gaining access to admin keys and draining the protocol’s vault. Blockchain analytics firm Elliptic also noted that some transaction patterns observed in the aftermath were consistent with activity previously linked to North Korean actors.
The case underscores wider concerns about North Korean infiltration of crypto firms. Speaking at the DevConnect conference in November, Pablo Sabbatella, founder of Opsek, said as many as 20% of crypto companies may unknowingly employ North Korean agents, who use fake identities and freelance intermediaries to gain access to internal systems, echoing an earlier New York Times report on the topic.
Security researchers say North Korea’s involvement in crypto exploits is driven by sanctions that restrict its access to global financial systems.
