North Korean Devs Used Fake Identities to Steal From Crypto Project: ZachXBT

Blockchain investigator ZachXBT has released information regarding North Korean developers who allegedly stole $1.3 million from a project’s treasury.

The theft was carried out when the devs, who had been hired using fake identities, injected malicious code into the system, which allowed the unauthorized transfer of funds.

ZachXBT Uncovers Crypto Workers Scheme

ZachXBT explained on X that the stolen funds were initially sent to a theft address and bridged from Solana to Ethereum through the deBridge platform. The funds, 50.2 ETH, were deposited into Tornado Cash, a crypto mixer that obscures transaction trails. After that, 16.5 ETH was transferred to two exchanges.

1/ Recently a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed.

Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities.

I then uncovered 25+ crypto projects with… pic.twitter.com/W7SgY97Rd8

— ZachXBT (@zachxbt) August 15, 2024

According to ZachXBT, since June 2024, North Korean IT workers have infiltrated over 25 crypto projects using multiple payment addresses. He noted that there could be a single entity in Asia, likely based in North Korea, receiving between $300,000 to $500,000 each month while employing at least 21 workers across different crypto projects.

Further analysis noted that before this case, $5.5 million had been funneled into an exchange deposit address tied to payments made to North Korean IT workers from July 2023 to July 2024. These payments were linked to Sim Hyon Sop, an individual sanctioned by the US Office of Foreign Assets Control (OFAC).

ZachXBT’s investigation looked deeper into the several errors and unusual patterns made by the malicious actors. There were IP overlaps between developers allegedly based in the US and Malaysia and accidental leaks of alternate identities during recorded sessions.

Following the incident, ZackXBT contacted the affected projects and advised them to review their logs and do more intensive background checks. He also noted several red flags that teams can monitor, such as referrals for roles from other developers, work history inconsistency, and highly polished resumes or GitHub profiles.

North Korean Cybercrime Surge

Meanwhile, groups linked to North Korea have long been associated with cybercrime. Their tactics often include phishing schemes, exploiting software vulnerabilities, unauthorized system access, private key theft, and even infiltrating organizations in person.

One of its most infamous organizations, Lazarus Group, allegedly stole over $3 billion in crypto assets from 2017 to 2023.

In 2022, the US government warned about the surging number of North Korean workers getting into freelance tech roles, especially those in the crypto sector.