Blockchain investigator ZachXBT recently uncovered a shocking revelation about North Korean developers who managed to steal $1.3 million from a project’s treasury. These developers had been hired under fake identities and injected malicious code into the system, allowing them to transfer funds unauthorizedly. The stolen funds were then sent to a theft address, moved from Solana to Ethereum via the deBridge platform, and further obscured by depositing them into Tornado Cash, a crypto mixer. Eventually, a portion of the funds was transferred to two different exchanges, exposing the elaborate scheme orchestrated by the North Korean IT workers.
According to ZachXBT’s investigation, these North Korean developers had infiltrated over 25 crypto projects since June 2024, using multiple payment addresses. It was suggested that a single entity, likely based in North Korea, was receiving substantial monthly payments ranging from $300,000 to $500,000 while employing a team of at least 21 workers across various crypto projects. Furthermore, prior to this particular incident, $5.5 million had been funneled into an exchange deposit address associated with payments to North Korean IT workers from July 2023 to July 2024, with ties to an individual sanctioned by the US Office of Foreign Assets Control.
ZackXBT’s investigation shed light on several errors and unusual patterns exhibited by the malicious actors. These included IP overlaps between developers purportedly based in the US and Malaysia, as well as accidental leaks of alternate identities during recorded sessions. In response to these findings, ZackXBT advised affected projects to conduct thorough reviews of their logs and implement more rigorous background checks. He also highlighted red flags that teams should watch out for, such as referrals from other developers, inconsistencies in work history, and overly polished resumes or GitHub profiles.
The actions of North Korean groups in the realm of cybercrime have long been documented, with tactics ranging from phishing schemes to unauthorized system access and private key theft, not to mention physical infiltration of organizations. The notorious Lazarus Group, reportedly associated with North Korea, has been linked to stealing over $3 billion in crypto assets from 2017 to 2023. Additionally, the US government raised concerns in 2022 about the increasing number of North Korean workers infiltrating freelance tech roles, especially within the crypto sector.
The infiltration of North Korean developers in the crypto space poses a significant threat to projects and investors alike. Their sophisticated schemes and nefarious activities highlight the importance of stringent security measures and vigilance within the industry to safeguard against such malicious actors.
