A suspected DPRK IT worker allegedly gained employment at THORSwap and submitted eight pull requests to the official swapkit/SwapKit repository between July and September 2024, with at least three merged. The merged PRs changed wallet integration code for Talisman, Polkadot.js, and Chainflip, a layer handling user fund interactions across THORChain, Chainflip, and EVM chains. The investigation links four GitHub identities through shared email and username patterns, including a THORSwap employee identity, and says one linked email appeared on a DPRK-operated freelancing platform. The same cluster is tied to a Zoom screen-sharing hider, MEV tooling, collaboration with other suspected DPRK accounts, and possible access to THORSwap private development code.