1/ Recently a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed. Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities. I then uncovered 25+ crypto projects with… pic.twitter.com/W7SgY97Rd8
— ZachXBT (@zachxbt) August 15, 2024
The latest tweet from on-chain detective ZachXBT pointed out that he discovered a criminal hacker network composed of 21 North Korean developers who participated in and stole funds from dozens of encryption projects and allegedly earned up to 500,000 per month. dollars of ill-gotten gains.
ZachXBT Exposes North Korean Criminal Hacking Network
Zach first said that this entity, which is located in Asia and may come from North Korea, employs at least 21 employees, uses fake identities to penetrate more than 25 encryption projects, steals the team's funds when the time is right, and runs away, with an estimated profit of 30 million per month. Ten thousand to US$500,000.
Fraud and money laundering process
He revealed that when he was investigating the hacking incident of a certain project, he discovered a clever and familiar fund trace, using a dedicated stolen address, a coin mixer, and two exchanges to conduct complex money laundering.
However, after tracing multiple addresses, he discovered a larger money laundering network:
These developers received $375,000 in the past month, bringing the total inflow to date from July last year to $5.5 million.
Zach emphasized that the funds ultimately flowed to two individuals "Sim Hyon Sop" and "Sang Man Kim" who were sanctioned by the U.S. Office of Foreign Assets Control (OFAC) and were allegedly accused of being related to North Korea's cybercrime and military weapons programs. associated.
Developers disguise themselves to apply for jobs
At the same time, Zach also pointed out their penetration methods, gaining the trust of the project team through fake ID KYC or beautiful work experience, and then taking the money and leaving:
Some developers claimed to be from the United States or Malaysia, but were found to have session addresses that overlapped with Russian IPs.
He added, "There are many experienced teams who have hired these developers from North Korea without knowing it, and they have all faked their identities."
ZachXBT reminds: The deeper the questions, the better
In this regard, Zach also reminded the team to pay more attention to the following personnel:
Applicants appear to know each other and may even recommend each other
Excellent GitHub or resume, but does not respond truthfully to previous work experience
Agree to KYC but provide fake ID
I don’t know the details of the country I claim to be in. The team can ask carefully for confirmation.
Performed well at first, but gradually deteriorated
When a person is fired, another account immediately appears to apply for a job.
Like to use the more popular NFTs as avatars
Cosine: The team is careful to guard against infiltration by North Korean developers
Yu Xian, founder of the information security team SlowMist, also quoted ZachXBT’s tweet, saying:
They recommend each other to join the company, have been lurking for a long time, have good technical skills, your company is running very well, and then close the network after it has been fattened.
He added, "This kind of thing is no longer new. Unfortunately, there will always be new tricks."
North Korea's hacker crimes are rampant
There are endless cyber crimes related to North Korea, which also include the notorious hacker organization Lazarus, which has planned many cyber attacks and fraud activities in the past, including phishing attacks, protocol vulnerability exploitation, and personnel penetration.
Chain News has previously taken stock of the large-scale cyber attacks committed by Lazarus. The victims included the gaming platform Stake.com and the exchange CoinEx, and more than hundreds of millions of dollars were stolen.
Now, this year’s hacking incidents involving North Korean hackers that have not yet been determined to be Lazarus include:
March: Blast gaming platform Munchables was stolen by a developer, losing approximately $62.5 million
May: Japanese exchange DMM Bitcoin was hacked, resulting in a loss of approximately US$305 million.
July: Indian exchange WazirX was hacked, losing approximately $235 million
(Are they all North Korean hackers? Elliptic analyzed that WazirX was attacked by North Korean hackers, and so was DMM’s $300 million recently?)
In February this year, the United Nations also expressed a serious attitude towards this, emphasizing that North Korean hackers are stealing funds through a large number of cyber attacks to fund the country's nuclear bomb program. In the past seven years, criminal proceeds have exceeded US$3 billion.
(United Nations report: North Korea used hackers to steal cryptocurrency to raise US$3 billion to develop nuclear weapons)
This article ZachXBT exposed North Korea’s hacker criminal network, pretending to be developers to infiltrate the team and then collect money: earning 500,000 US dollars per month first appeared on Chain News ABMedia.
