Solana DEX Stabble has urged its users to withdraw all liquidity after a former employee was outed as a North Korean operative.
The IT worker in question, who has also worked for Solana crypto fund Elemental, was named by crypto sleuth ZachXBT on Tuesday during a back and forth with Elemental founder “Moo.”
When the discussion turned to the issue of trust – something that Moo says they’ve been “obsessing over” for four years – Zach responded, “Stop virtue signaling you conveniently left out the fact that you had a DPRK IT worker on payroll at Elemental for years.”
The investigator then went on to reveal details of the alleged mole, naming him as Keisuke Watanabe, aka “kasky53,” and posting his GitHub aliases and email address.
Stop virtue signaling you conveniently left out the fact that you had a DPRK IT worker on payroll at Elemental for years.
Name: Keisuke Watanabe
X: kasky53
GitHub alias: keisukew53, kdevdivvy, kasky53, 0xWoo
Email: keisukew53@gmail[.]comRelated addresses:… pic.twitter.com/eg0XTjU1Nh
— ZachXBT (@zachxbt) April 7, 2026
Stabble quickly quote tweeted Zach and urged its users, “To be safe – everyone please temporally [sic] withdraw your liquidity instantly!
“Better safe than sorry.
“This is the new team from Stabble, that aimed to repair the project.
“We will do new audits to be safe about our LPs.
“Then we can continue. Safety first.”
It then admitted that it employed Watanabe a year ago.
DPRK plants have been on crypto payrolls ‘for years’
The warning comes as the industry grapples with fresh revelations from ZachXBT, who revealed this week that North Korean IT workers have been quietly embedded on crypto project payrolls for years.
Previous investigations have shown millions of dollars flowing to suspected DPRK-linked developers operating under fake identities, raising concerns about insider access and long-term infiltration risks.
Footage circulating on X appears to show suspected DPRK IT workers abruptly leaving a Zoom call after being prompted to criticize North Korean leader Kim Jong Un, further fueling speculation about covert operatives inside crypto teams.
The developments follow the recent Drift Protocol hack, one of the largest DeFi exploits of 2026, in which more than $200 million – and potentially up to $285 million – was drained.
Analysts and blockchain researchers have linked the attack to North Korean hacking groups, citing patterns consistent with past operations tied to the Lazarus Group.
North Korean hackers posing as devs exposed with ‘I Hate Kim Jong Un’ test
One trading firm with close ties to Drift said it was “bombed back to the stone age” by the exploit, highlighting the scale of the damage across interconnected Solana liquidity providers.
The attack itself was notable not for a smart contract bug, but for a prolonged social engineering campaign.
Investigators say attackers spent months building trust, infiltrating contributor circles, and ultimately exploiting governance mechanisms to drain funds in a matter of minutes.
Protos has reached out to Stabble for comment and will update if we hear back.