ZeroShadow describes DPRK IT-worker infiltration against crypto and DeFi organizations, using fake identities to obtain developer roles, collect salaries, and create insider access. The DeltaPrime case identified three DPRK-associated developers who had worked for months using fake KYC documents after contacting the project through Discord and Telegram. ZachXBT traced salary and theft-related crypto flows to a cluster linked with other remote developers and an exchange account associated with OFAC-sanctioned Sim Hyon Sop. DeltaPrime responded by blocking worker access, rotating credentials and private keys, terminating sessions, reviewing logs, and auditing code touched by the workers.