Key points to remember:
- Stabble urged all liquidity providers withdrew their funds on April 7, 2026, after ZachXBT reported an alleged former employee as a suspected DPRK agent.
- No exploits or violations occurred at Stabble, and the protocol’s TVL stood at approximately $1.75 million at the time of the alert.
- Stabble’s new team plans further audits before resuming normal operations, following a takeover approximately four weeks previously.
Solana DEX Stabble Issues Emergency LP Withdrawal
The former employee was identified as Keisuke Watanabe, operating under aliases including kasky53, keisukew53, kdevdivvy, and 0xWoo on GitHub and social platforms. ZachXBT disclosed Watanabe’s full name and associated wallet addresses on Solana and Ethereum, email and supporting OSINT documentation in a public release on Solana Challenge infrastructure project where Watanabe had also worked.
Stabble’s new management team, which took over the project about four weeks before the disclosure, confirmed that the former employee had worked at Stabble about a year earlier. The team said there have been no exploits, breaches, and no known security incidents of any kind. The emergency message from the Stabble account on X read:
“EMERGENCY! Guys, please temporarily remove your liquidity immediately! Prevention is better than cure. The new stable team.
In a follow-up statement, the team clarified its position. “We are not PR specialists, we are quants and firsts Challenge degens,” they wrote. “Our main goal is the safety of our LPs. There were no exploits. We have received a message and are acting on it.
The protocol’s total value locked stood at approximately $1.75 million at the time of the alert, with significant withdrawals already underway and much of the funds concentrated in a single wallet. The limited TVL contained the scope of any potential risks. DPRK-linked IT workers infiltrate crypto and DeFi projects are a documented model spanning at least seven years.
These agents often pose as Japanese or foreign developers to gain privileged access. US authorities and independent researchers have reported suspected North Korean workers on more than 40 DeFi platforms.
The recent Drift Protocol exploit on Solana, estimated to be worth around $280 million and attributed to suspected North Korean actors, involved months of social engineering rather than a smart contract vulnerability.
Stabble fits the profile of a project vulnerable to existing team risks. The new management inherited a code base and contributor history that they had not fully audited. Their decision to suspend operations and request new audits of large companies reflects a cautious attitude when it comes to optics.
The team reported operational progress in the weeks leading up to the incident, including a doubling of TVL, a three- to four-fold increase in revenue, and a 100% price increase. These winnings remain intact, as no funds were lost and the protocol continues to process withdrawals.
The ZachXBT disclosure connected Watanabe to Elemental founder “Moo” during a comment on the Drift hack, with Stabble caught up in the broader call-out due to his previous association with the same individual. The cross-project exposure highlights how one confirmed bad actor can ripple across multiple protocols.
“Stop pointing out that you conveniently forgot the fact that you had a DPRK IT person employed at Elemental for years,” ZachXBT remarked.
Moo rejected the accusation of virtue signaling and emphasized responsibility. The Elemental founder argued that when major outages occur, the minimum standard is to acknowledge mistakes, communicate transparently, and deal directly with users.
Community response to Stabble’s management has been mixed. Some users credited the team for its transparent and timely action. Others criticized the blunt wording of “EMERGENCY” as likely to cause unnecessary panic given the lack of a confirmed threat.
The Stabble team plans to contact major auditing firms before reopening liquidity operations. No timetable has been confirmed. Crypto projects of all sizes continue to face pressure to vet contributors through background checks, code review isolation, and privilege checks. The Stabble incident adds to a growing list of cases where DPRK-linked identity fraud has reached projects long after the agent has left.
