Solana DEX Warns Liquidity Providers to Withdraw After North Korean Employee Link Surfaces
Key Takeaways:
The protocol’s total value locked stood at approximately $1.75 million at the time of the alert, with significant withdrawals already underway and a large portion of funds concentrated in a single wallet. The limited TVL contained the scope of any potential risk. DPRK-linked IT workers infiltrating crypto and DeFi projects is a documented pattern spanning at least seven years.
These operatives frequently pose as Japanese or other foreign developers to gain insider access. U.S. authorities and independent researchers have flagged suspected North Korean workers inside more than 40 DeFi platforms.
The recent Drift Protocol exploit on Solana, estimated at approximately $280 million and attributed to suspected North Korean actors, involved months of social engineering rather than a smart contract vulnerability.
Stabble fits the profile of a project vulnerable to legacy team risks. The new management inherited a codebase and contributor history they had not fully audited. Their decision to pause operations and seek fresh audits from major firms reflects a precautionary posture over optics.
The team reported operational progress in the weeks before the incident, including doubled TVL, a threefold to fourfold revenue increase, and a 100 percent price increase. Those gains remain intact, as no funds were lost and the protocol continues to process withdrawals.
ZachXBT‘s disclosure connected Watanabe to Elemental founder “Moo” during commentary on the Drift hack, with Stabble caught in the broader call-out through its prior association with the same individual. The cross-project exposure highlights how one confirmed bad actor can ripple across multiple protocols.
“Stop virtue signaling you conveniently left out the fact that you had a DPRK IT worker on payroll at Elemental for years,” ZachXBT remarked.
Moo rejected the accusation of virtue signaling and shifted the focus to accountability. The Elemental founder argued that when major failures occur, the minimum standard is to acknowledge mistakes, communicate transparently, and face users directly.
Community response to Stabble’s handling was split. Some users credited the team for transparent, fast action. Others criticized the blunt “EMERGENCY” framing as likely to cause unnecessary panic given the absence of a confirmed threat.
The Stabble team plans to contact major auditing firms before reopening liquidity operations. No timeline has been confirmed. Crypto projects of all sizes continue to face pressure to vet contributors through background checks, code review isolation, and privilege controls. The Stabble incident adds to a growing list of cases where DPRK-linked identity fraud reached projects long after the operative had moved on.
About Author
