North Korean Developers Used Fake Identities To Steal Crypto Project: ZachXBT

Blockchain researcher ZachXBT has released information about North Korean developers who allegedly stole $1.3 million from a project’s treasury.

The theft was carried out when the developers, who had been hired under false identities, injected malicious code into the system, which allowed the unauthorized transfer of funds.

ZachXBT discovers the crypto worker scheme

ZachXBT explained to X that the stolen funds were initially sent to a stolen address and connected from Solana to Ethereum via the deBridge platform. The funds, 50.2 ETH, were deposited into Tornado Cash, a cryptocurrency mixer that hides transaction traces. After that, 16.5 ETH was transferred to two exchanges.

1/ I was recently contacted by a team for help after $1.3 million was stolen from the treasury after malicious code was sent.

Unbeknownst to the team, they had hired several DPRK IT workers as developers using fake identities.

Then I discovered more than 25 crypto projects with… pic.twitter.com/W7SgY97Rd8

— ZachXBT (@zachxbt) August 15, 2024

According to ZachXBT, since June 2024, North Korean IT workers have infiltrated more than 25 crypto projects using multiple payment addresses. He noted that there could be a single entity in Asia, probably based in North Korea, that receives between $300,000 and $500,000 each month while employing at least 21 workers on different crypto projects.

Further analysis noted that prior to this case, $5.5 million had been funneled to a foreign exchange depository address linked to payments made to North Korean IT workers from July 2023 to July 2024. These payments were linked to Sim Hyon Sop, an individual sanctioned by the US office. of Foreign Assets Control (OFAC).

ZachXBT’s investigation delved into the various mistakes and unusual patterns made by malicious actors. There were IP overlaps between developers allegedly based in the US and Malaysia and accidental leaks of alternate identities during recorded sessions.

Following the incident, ZackXBT contacted the affected projects and advised them to review their records and conduct more intensive background checks. He also pointed out several red flags that teams can monitor, such as role references from other developers, inconsistent work history, and highly polished resumes or GitHub profiles.

North Korea’s rise in cybercrime

Meanwhile, groups linked to North Korea have long been associated with cybercrime. Their tactics often include phishing schemes, exploiting software vulnerabilities, unauthorized system access, stealing private keys, and even infiltrating organizations in person.

One of its most infamous organizations, the Lazarus Group, allegedly stole over $3 billion in crypto assets from 2017 to 2023.

In 2022, the US government warned about the increasing number of North Korean workers in freelance technology roles, especially those in the crypto sector.

SPECIAL OFFER (Sponsored) Binance Free $600 (Exclusive to CryptoPotato): Use this link to register a new account and receive an exclusive welcome offer of $600 to Binance (full details).

2024 LIMITED OFFER on BYDFi Exchange – Up to $2888 Welcome Reward, Use this link to register and open a 100 USDT-M position for free!