Verify a decision

{"actor":"system:backfill","investigation_id":"cc05fc4b-ea07-464a-93a4-7c6dd94d6658","kind":"publish","page_slug":"elementaldefi","published_at":"2026-05-22T16:07:43.886Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"ElementalDeFi","sections":[{"content":"On April 7, 2026, on-chain investigator ZachXBT disclosed via X (formerly Twitter) that ElementalDeFi had employed an individual operating under the name Keisuke Watanabe for multiple years. ZachXBT directed his disclosure at the ElementalDeFi founder known pseudonymously as 'Moo,' stating: 'Stop virtue signaling you conveniently left out the fact that you had a DPRK IT worker on payroll at Elemental for years.' The disclosure accompanied the release of Watanabe's alleged full name, associated Solana and Ethereum wallet addresses, an email address (keisukew53@gmail.com), and supporting OSINT documentation. Watanabe is alleged to have operated under multiple aliases across GitHub and social platforms, including kasky53, keisukew53, kdevdivvy, and 0xWoo. No exploit or confirmed fund breach at ElementalDeFi has been publicly documented as of May 22, 2026; however, public records show no evidence that ElementalDeFi has conducted, commissioned, or announced a security review of code contributed by the alleged operative.","heading":"DPRK IT Worker Employment — ZachXBT Disclosure","severity":"critical","sources":[{"credibility":2,"name":"ZachXBT: Solana DeFi App ElementalDeFi Hired DPRK IT Worker for Years — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/04/07/zachxbt-solana-defi-app-elementaldefi-hired-dprk-it-worker-for-years/"},{"credibility":2,"name":"Stabble Urges Users To Withdraw Liquidity Following Discovery Of Former North Korean Developer — Metaverse Post","type":"news_article","url":"https://mpost.io/stabble-urges-users-to-withdraw-liquidity-following-discovery-of-former-north-korean-developer/"},{"credibility":2,"name":"Solana DEX Warns Liquidity Providers to Withdraw After North Korean Employee Link Surfaces — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/solana-dex-warns-liquidity-providers-to-withdraw-after-north-korean-employee-link-surfaces/"}]},{"content":"The individual at the center of the disclosure, allegedly identified as Keisuke Watanabe, is described by ZachXBT as a suspected North Korean IT operative posing as a Japanese developer — a pattern documented across more than 40 DeFi platforms according to MetaMask security researcher Taylor Monahan. Watanabe's alleged GitHub handles include keisukew53, kdevdivvy, kasky53, and 0xWoo. ZachXBT published associated Solana and Ethereum wallet addresses alongside the disclosure. These aliases and the pattern of posing as Japanese nationals are consistent with documented DPRK IT worker tradecraft noted by U.S. authorities and independent researchers. The credibility of the Watanabe attribution rests primarily on ZachXBT's OSINT investigation; independent government or law enforcement confirmation of the specific individual's identity has not been publicly reported as of May 22, 2026.","heading":"Alleged Operative Identity and Aliases","severity":"critical","sources":[{"credibility":2,"name":"Solana DEX Warns Liquidity Providers to Withdraw After North Korean Employee Link Surfaces — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/solana-dex-warns-liquidity-providers-to-withdraw-after-north-korean-employee-link-surfaces/"},{"credibility":2,"name":"Stabble Urges Users To Withdraw Liquidity Following Discovery Of Former North Korean Developer — Metaverse Post","type":"news_article","url":"https://mpost.io/stabble-urges-users-to-withdraw-liquidity-following-discovery-of-former-north-korean-developer/"}]},{"content":"Watanabe is alleged to have concurrently held the CTO role at Stabble, a separate Solana-based decentralized exchange, while also working at ElementalDeFi. Stabble's new management team — which assumed control approximately four weeks before the April 7, 2026 disclosure — issued an emergency notice urging all liquidity providers to withdraw funds as a precaution. Stabble's TVL collapsed approximately 62 percent, from roughly $1.75 million to under $663,000, in a single trading session following the alert. Stabble stated that no exploit had occurred and that it planned to engage major auditing firms before reopening operations. ElementalDeFi, by contrast, issued no comparable public notice or remediation announcement. The shared operative connecting both protocols represents a potential systemic risk to code integrity across both platforms.","heading":"Connection to Stabble and Shared Operative Cluster","severity":"critical","sources":[{"credibility":2,"name":"Stabble Crypto Urges Liquidity Withdrawal After North Korean Hacker Scare — CryptoNews","type":"news_article","url":"https://cryptonews.com/news/stabble-solana-liquidity-withdrawal-north-korean-hacker/"},{"credibility":2,"name":"Solana DEX Warns Liquidity Providers to Withdraw After North Korean Employee Link Surfaces — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/solana-dex-warns-liquidity-providers-to-withdraw-after-north-korean-employee-link-surfaces/"},{"credibility":2,"name":"Solana-based Stabble tells LPs to withdraw funds after identifying former North Korean employee — The Block","type":"news_article","url":"https://www.theblock.co/post/396569/solana-stabble-lps-withdraw-funds-identifying-former-north-korean-employee"}]},{"content":"Researchers and investigators have described the alleged Watanabe operative as part of a broader North Korean IT worker cluster active in Solana DeFi. The same cluster is contextually linked to the April 1, 2026 Drift Protocol exploit, in which approximately $285 million in user assets were drained in roughly 12 minutes through a six-month social engineering campaign against Drift's Security Council. TRM Labs attributed the Drift hack to the DPRK-linked threat actor tracked as UNC4736 (also known as AppleJeus, Citrine Sleet, and Golden Chollima) with medium confidence. The Drift attack involved social engineering multisig signers into pre-signing hidden authorizations via durable nonce accounts, followed by the introduction of a fictitious collateral asset. ElementalDeFi's founder 'Moo' was noted by ZachXBT to have publicly criticized Drift Protocol's security failures around the time of the April 1 exploit, which prompted ZachXBT's public call-out about ElementalDeFi's own undisclosed DPRK employment. The extent of any operational or financial connection between the Watanabe persona and the actors behind the Drift exploit has not been independently confirmed in public reporting.","heading":"Connection to Drift Protocol Exploit and DPRK Operative Cluster","severity":"high","sources":[{"credibility":1,"name":"North Korean Hackers Attack Drift Protocol In USD 285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":2,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":1,"name":"Drift Protocol exploited for $286 million in suspected DPRK-linked attack — Elliptic","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":1,"name":"Drift Protocol Hack: How Privileged Access Led to a $285M Loss — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"}]},{"content":"As of May 22, 2026, ElementalDeFi has made no public statement acknowledging ZachXBT's April 7, 2026 disclosure. No security audit, code review, or remediation announcement has been published by the project or attributed to its team in available public records. The project's documentation site (docs.elemental.fund) contains no mention of the incident. This stands in contrast to Stabble, which issued an emergency LP withdrawal notice, publicly acknowledged the disclosure, and announced plans to engage external auditors before reopening. The failure to disclose or remediate leaves users with no information about whether Watanabe contributed code to ElementalDeFi's production smart contracts, whether any backdoors or malicious logic may have been introduced, or what steps — if any — the team has taken to assess risk. Industry researchers including Taylor Monahan have noted that DPRK-linked developers have contributed code to DeFi protocols for at least six years, and that insider access to smart contract codebases presents a persistent and difficult-to-detect risk.","heading":"Absence of Public Disclosure or Remediation by ElementalDeFi","severity":"critical","sources":[{"credibility":2,"name":"ZachXBT: Solana DeFi App ElementalDeFi Hired DPRK IT Worker for Years — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/04/07/zachxbt-solana-defi-app-elementaldefi-hired-dprk-it-worker-for-years/"},{"credibility":2,"name":"Incident with Stabble DEX Highlighted Threat of North Korea-Linked Workers Infiltrating Crypto Companies — Incrypted","type":"news_article","url":"https://incrypted.com/en/incident-with-the-stabble-dex-highlighted-threat-of-north-korea-linked-workers-infiltrating-crypto-companies/"}]},{"content":"ElementalDeFi's situation is part of a documented, industry-wide pattern. MetaMask security researcher Taylor Monahan has stated that more than 40 DeFi platforms have at some point inadvertently employed DPRK-linked developers, and that these workers have been active in the sector since at least 2020. ZachXBT separately documented a DPRK-linked IT worker network generating approximately $1 million per month through crypto payment flows, based on data exfiltrated from a compromised internal payment server containing records for 390 accounts. The operatives frequently pose as Japanese or other East Asian developers, acquire legitimate professional histories, and target projects with remote-first hiring practices. A March 2026 Chainalysis report noted that OFAC-sanctioned individuals involved in IT worker fraud were estimated to have earned approximately $800 million in 2024. DPRK hackers stole approximately $2 billion in cryptocurrency in 2025 alone according to Chainalysis, representing a 51 percent increase from the prior year.","heading":"Broader DPRK IT Worker Threat Context","severity":"high","sources":[{"credibility":2,"name":"ZachXBT Uncovers North Korea-Linked IT Worker Network Generating $1M Monthly — The Block","type":"news_article","url":"https://www.theblock.co/post/396847/zachxbt-uncovers-north-korea-linked-it-worker-network-generating-1m-monthly-via-crypto-payment-flows"},{"credibility":2,"name":"ZachXBT Uncovers $3.5M Operation by North Korean Fake Devs Inside Crypto Firms — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/zachxbt-uncovers-3-5m-operation-by-north-korean-fake-devs-inside-crypto-firms/"},{"credibility":1,"name":"2025 Crypto Theft Reaches $3.4 Billion — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/"},{"credibility":2,"name":"North Korean IT Workers Infiltrating DeFi for Years, Says Researcher — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/06/north-korean-it-workers-infiltrating-defi-for-years-says-researcher/"}]},{"content":"ElementalDeFi (operating at elemental.fund) is a Solana-based DeFi investment platform founded in September 2022. It offers yield products including Elemental Lend (launched publicly in beta in October 2025), the Geyser Fund (using liquid staking tokens such as bSOL), and the Geodium Fund (a partnership fund with Raydium). The project describes itself as offering 'a transparent, zero-fee investment experience.' The founder is known publicly only by the pseudonym 'Moo.' Specific TVL figures for the project at the time of the DPRK disclosure were not available in public sources reviewed for this investigation. The project's documentation makes no reference to the April 2026 security incident.","heading":"Project Background","severity":"low","sources":[{"credibility":1,"name":"Elemental DeFi Documentation — docs.elemental.fund","type":"official","url":"https://docs.elemental.fund/"}]}],"sources_used":[{"credibility":2,"name":"ZachXBT: Solana DeFi App ElementalDeFi Hired DPRK IT Worker for Years — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/04/07/zachxbt-solana-defi-app-elementaldefi-hired-dprk-it-worker-for-years/"},{"credibility":2,"name":"Stabble Urges Users To Withdraw Liquidity Following Discovery Of Former North Korean Developer — Metaverse Post","type":"news_article","url":"https://mpost.io/stabble-urges-users-to-withdraw-liquidity-following-discovery-of-former-north-korean-developer/"},{"credibility":2,"name":"Solana DEX Warns Liquidity Providers to Withdraw After North Korean Employee Link Surfaces — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/solana-dex-warns-liquidity-providers-to-withdraw-after-north-korean-employee-link-surfaces/"},{"credibility":2,"name":"Stabble Crypto Urges Liquidity Withdrawal After North Korean Hacker Scare — CryptoNews","type":"news_article","url":"https://cryptonews.com/news/stabble-solana-liquidity-withdrawal-north-korean-hacker/"},{"credibility":2,"name":"Solana-based Stabble tells LPs to withdraw funds after identifying former North Korean employee — The Block","type":"news_article","url":"https://www.theblock.co/post/396569/solana-stabble-lps-withdraw-funds-identifying-former-north-korean-employee"},{"credibility":2,"name":"ZachXBT Uncovers North Korea-Linked IT Worker Network Generating $1M Monthly — The Block","type":"news_article","url":"https://www.theblock.co/post/396847/zachxbt-uncovers-north-korea-linked-it-worker-network-generating-1m-monthly-via-crypto-payment-flows"},{"credibility":1,"name":"North Korean Hackers Attack Drift Protocol In USD 285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":2,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":1,"name":"Drift Protocol exploited for $286 million in suspected DPRK-linked attack — Elliptic","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":1,"name":"Drift Protocol Hack: How Privileged Access Led to a $285M Loss — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"credibility":1,"name":"Elliptic flags $285 million Drift exploit as a likely North Korea-linked operation — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/04/02/north-koreans-hackers-likely-behind-the-usd286-million-drift-protocol-exploit-elliptic"},{"credibility":2,"name":"Incident with Stabble DEX Highlighted Threat of North Korea-Linked Workers Infiltrating Crypto Companies — Incrypted","type":"news_article","url":"https://incrypted.com/en/incident-with-the-stabble-dex-highlighted-threat-of-north-korea-linked-workers-infiltrating-crypto-companies/"},{"credibility":2,"name":"North Korean IT Workers Infiltrating DeFi for Years, Says Researcher — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/06/north-korean-it-workers-infiltrating-defi-for-years-says-researcher/"},{"credibility":2,"name":"ZachXBT Uncovers $3.5M Operation by North Korean Fake Devs Inside Crypto Firms — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/zachxbt-uncovers-3-5m-operation-by-north-korean-fake-devs-inside-crypto-firms/"},{"credibility":1,"name":"2025 Crypto Theft Reaches $3.4 Billion — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/"},{"credibility":2,"name":"Solana DeFi Alarmed: DPRK-Linked Developer Revealed to Have Worked on Multiple Projects — AInvest","type":"news_article","url":"https://www.ainvest.com/news/solana-defi-alarmed-dprk-linked-developer-revealed-worked-multiple-projects-2604/"},{"credibility":1,"name":"Elemental DeFi Documentation — docs.elemental.fund","type":"official","url":"https://docs.elemental.fund/"}],"summary":"ElementalDeFi is a Solana-based DeFi fund and lending platform founded in September 2022 that offers yield products including Elemental Lend, the Geyser Fund, and the Geodium Fund. On April 7, 2026, blockchain investigator ZachXBT publicly disclosed that an individual identified as Keisuke Watanabe — an alleged North Korean IT operative — had been employed at the project for multiple years, and that the same individual served as CTO at the related Solana DEX Stabble. As of May 22, 2026, ElementalDeFi has issued no public response, audit findings, or remediation plan, leaving unresolved the risk that the operative may have introduced backdoors or malicious code into the protocol's production smart contracts.","timeline":[{"date":"2022-09-01","event":"ElementalDeFi founded on Solana, initially launching with a $1,000 pool from early adopters.","source":"Elemental DeFi Documentation","source_url":"https://docs.elemental.fund/"},{"date":"2025-10-01","event":"Elemental Lend opens to public beta following closed alpha testing.","source":"Elemental DeFi Documentation","source_url":"https://docs.elemental.fund/"},{"date":"2026-04-01","event":"Drift Protocol, the largest decentralized perpetual futures exchange on Solana, is exploited for approximately $285 million in user assets in roughly 12 minutes, following a six-month DPRK social engineering campaign. TRM Labs attributes the attack to UNC4736 with medium confidence.","source":"TRM Labs — North Korean Hackers Attack Drift Protocol","source_url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"date":"2026-04-07","event":"ZachXBT publicly discloses via X that ElementalDeFi employed an alleged DPRK IT operative, Keisuke Watanabe, for multiple years. The disclosure targets ElementalDeFi founder 'Moo' and includes Watanabe's alleged aliases (kasky53, keisukew53, kdevdivvy, 0xWoo), wallet addresses, and email. Stabble, where Watanabe allegedly served as CTO, issues an emergency withdrawal notice to liquidity providers. Stabble's TVL drops approximately 62 percent. ElementalDeFi makes no public statement.","source":"BanklessTimes — ZachXBT: Solana DeFi App ElementalDeFi Hired DPRK IT Worker for Years","source_url":"https://www.banklesstimes.com/articles/2026/04/07/zachxbt-solana-defi-app-elementaldefi-hired-dprk-it-worker-for-years/"},{"date":"2026-05-22","event":"No public statement, security audit, or remediation plan has been published by ElementalDeFi regarding the DPRK employment disclosure. The risk of planted backdoor code in production contracts remains unaddressed in public communications.","source":"AVOID.NET research — no public sources found confirming a response","source_url":"https://www.banklesstimes.com/articles/2026/04/07/zachxbt-solana-defi-app-elementaldefi-hired-dprk-it-worker-for-years/"}]},"v":1}