Recent tweets from cybersecurity expert ZachXBT suggest that a complex scheme is being carried out involving North Korean IT workers posing as crypto developers.
The operation led to the theft of $1.3 million from one project’s treasury and the exposure of a network of over 25 breached crypto projects that had been operating since June 2024.
ZachXBT’s research strongly suggests that a single organization in Asia, likely operating from North Korea, was earning between $300,000 and $500,000 per month by working simultaneously on more than 25 crypto projects using fake identities.
6/ Since many experienced teams hired these developers, it would not be fair to blame them alone.
Here are some indicators that teams can look out for in the future:
1) They refer to each other for roles
2) Nice looking resumes/GitHub activities can sometimes lie…
— ZachXBT (@zachxbt) August 15, 2024
Theft and money laundering scheme
The incident began when a publicly anonymous team reached out to ZachXBT for help after $1.3 million was stolen from their treasury. Unbeknownst to them, they had recruited multiple North Korean IT operatives who used fake identities to infiltrate the team.
The stolen funds totaled $1.3 million and were quickly laundered through a series of transactions, including transferring to the theft address, bridging from (SOL) to Ethereum (ETH) via deBridge, depositing 50.2 ETH into Tornado Cash, and finally transferring 16.5 ETH to two different exchanges.
Mapping the network
Further investigation revealed that the malicious developers were part of a larger network. By tracking multiple payment addresses, the researcher mapped a cluster of 21 developers who received approximately $375,000 in the past month alone.
The investigation also found that these activities were linked to previous transactions totaling $5.5 million that flowed into an exchange deposit address between July 2023 and 2024.
These payments were linked to North Korean IT employees and a figure sanctioned by the Office of Foreign Assets Control (OFAC), Sim Hyon Sop. Throughout the investigation, several concerning activities were uncovered, including instances of Russian Telecom IP overlap between developers reportedly located in the US and Malaysia.
Additionally, a developer accidentally disclosed other identities when registering. Further investigation revealed that the payment addresses were closely linked to the addresses of OFAC-sanctioned individuals such as Sang Man Kim and Sim Hyon Sop.
The situation was complicated by the involvement of recruitment companies in placing some developers. Additionally, at least three North Korean IT workers were employed on several projects who recommended each other.
Precautionary measures
ZachXBT noted that many experienced teams have unintentionally hired deceptive developers, so it’s not entirely fair to blame teams. However, there are a few precautions teams can take to protect themselves in the future.
These measures include being wary of developers offering roles to each other, reviewing resumes, thoroughly verifying KYC information, asking detailed questions about developers’ claimed positions, monitoring developers who have been fired and then resurface under new accounts, monitoring for performance degradation over time, regularly reviewing logs for anomalies, being wary of developers using popular NFT profile pictures, and taking note of possible language accents that could indicate Asian origins.