Key Takeaways:
- Stabble urged all liquidity providers to withdraw funds on April 7, 2026, after ZachXBT flagged a suspected former employee as a suspected DPRK operative.
- No exploit or breach occurred at Stabble, and the protocol’s TVL stood at approximately $1.75M at the time of the alert.
- Stabble’s new team plans fresh audits before resuming normal operations, following a takeover roughly four weeks prior.
Solana DEX Stabble Issues Emergency LP Withdrawal
The former employee was identified as Keisuke Watanabe, operating under aliases including kasky53, keisukew53, kdevdivvy, and 0xWoo across GitHub and social platforms. ZachXBT disclosed Watanabe’s full name, associated wallet addresses on Solana and Ethereum, email, and supporting OSINT documentation during a public post on X directed at Elemental, a Solana DeFi infrastructure project where Watanabe had also worked.
Stabble’s new management team, which took over the project roughly four weeks before the disclosure, confirmed the former employee had worked at Stabble approximately one year earlier. The team said there was no exploit, no breach, and no known security incident of any kind. The emergency post from the Stabble account on X read:
“EMERGENCY! guys please temporally withdraw your liquidity instantly! Better safe than sorry. The new stabble team.”
In a follow-up statement, the team clarified their position. “We are not PR people, we are quants and early DeFi degens,” they wrote. “Our primary focus is the safety of our LPs. There has been no exploit. We received a message and are acting on it.”
The protocol’s total value locked stood at approximately $1.75 million at the time of the alert, with significant withdrawals already underway and a large portion of funds concentrated in a single wallet. The limited TVL contained the scope of any potential risk. DPRK-linked IT workers infiltrating crypto and DeFi projects is a documented pattern spanning at least seven years.
These operatives frequently pose as Japanese or other foreign developers to gain insider access. U.S. authorities and independent researchers have flagged suspected North Korean workers inside more than 40 DeFi platforms.
The recent Drift Protocol exploit on Solana, estimated at approximately $280 million and attributed to suspected North Korean actors, involved months of social engineering rather than a smart contract vulnerability.
Stabble fits the profile of a project vulnerable to legacy team risks. The new management inherited a codebase and contributor history they had not fully audited. Their decision to pause operations and seek fresh audits from major firms reflects a precautionary posture over optics.
The team reported operational progress in the weeks before the incident, including doubled TVL, a threefold to fourfold revenue increase, and a 100 percent price increase. Those gains remain intact, as no funds were lost and the protocol continues to process withdrawals.
ZachXBT‘s disclosure connected Watanabe to Elemental founder “Moo” during commentary on the Drift hack, with Stabble caught in the broader call-out through its prior association with the same individual. The cross-project exposure highlights how one confirmed bad actor can ripple across multiple protocols.
“Stop virtue signaling you conveniently left out the fact that you had a DPRK IT worker on payroll at Elemental for years,” ZachXBT remarked.
Moo rejected the accusation of virtue signaling and shifted the focus to accountability. The Elemental founder argued that when major failures occur, the minimum standard is to acknowledge mistakes, communicate transparently, and face users directly.
Community response to Stabble’s handling was split. Some users credited the team for transparent, fast action. Others criticized the blunt “EMERGENCY” framing as likely to cause unnecessary panic given the absence of a confirmed threat.
The Stabble team plans to contact major auditing firms before reopening liquidity operations. No timeline has been confirmed. Crypto projects of all sizes continue to face pressure to vet contributors through background checks, code review isolation, and privilege controls. The Stabble incident adds to a growing list of cases where DPRK-linked identity fraud reached projects long after the operative had moved on.
