Cybersecurity expert ZachXBT’s recent tweets suggest a sophisticated scheme involving North Korean IT workers posing as crypto developers is taking place.
The operation led to the theft of $1.3 million from a project’s treasury and exposed a network of over 25 compromised crypto projects active since June 2024.
ZachXBT’s research strongly suggests that a single entity in Asia, likely operating out of North Korea, is receiving $300,000 to $500,000 per month by working simultaneously on over 25 crypto projects using fake identities.
6/ A number of experienced teams have hired these devs so it’s not fair to them single as the ones to blame. Some indicators teams can look out for in the future includes: 1) They refer each other for roles 2) Good looking resumes / GitHub activity although sometimes lie…
— ZachXBT (@zachxbt) August 15, 2024
You might also like: Suspects in $14m Holograph hack arrested by EU authorities
The theft and laundering scheme
The incident began when a publicly anonymous team reached out to ZachXBT for help after $1.3 million was stolen from their treasury. Unbeknownst to them, they had hired multiple North Korean IT workers who used fake identities to infiltrate the team.
The stolen funds, totaling $1.3 million, were quickly laundered through a sequence of transactions, including transferring to a theft address, bridging from (SOL) to Ethereum (ETH) via deBridge, depositing 50.2 ETH to Tornado Cash, and ultimately transferring 16.5 ETH to two different exchanges.
You might also like: US govt sent $594m Silk Road Bitcoin to Coinbase
Mapping the network
Further investigation revealed that the malicious developers were part of a larger network. By tracking multiple payment addresses, the investigator mapped out a cluster of 21 developers who had received approximately $375,000 in the last month alone.
The investigation also connected these activities to previous transactions totaling $5.5 million, which flowed into an exchange deposit address from July 2023 to 2024.
These payments were linked to North Korean IT workers and Sim Hyon Sop, a figure sanctioned by the Office of Foreign Assets Control (OFAC). Throughout the investigation, several concerning activities came to light, including instances of Russian Telecom IP overlap among developers who were reportedly based in the US and Malaysia.
Additionally, one developer accidentally exposed other identities while being recorded. Further investigations revealed that payment addresses were closely linked to those of OFAC-sanctioned individuals, such as Sang Man Kim and Sim Hyon Sop.
The involvement of recruitment companies in placing some developers added complexity to the situation. Additionally, several projects employed at least three North Korean IT workers who had referred each other.
You might also like: Vitalik Buterin donated $532k in ‘animal coins’ to charity
Preventive measures
ZachXBT pointed out that many experienced teams have inadvertently hired deceptive developers, so it’s not entirely fair to blame the teams. However, there are several measures that teams can take to protect themselves in the future.
These measures include being cautious of developers who refer each other for roles, scrutinizing resumes, thoroughly verifying KYC information, asking detailed questions about developers’ claimed locations, monitoring for developers who are fired and then reappear under new accounts, watching for a decline in performance over time, regularly reviewing logs for anomalies, being cautious of developers using popular NFT profile pictures, and noting potential language accents that could indicate origins in Asia.