Cash News
Crypto investigator ZachXBT has unveiled a sophisticated operation involving North Korean IT workers who infiltrated a project’s development team and stole $1.3 million from its treasury.
The theft occurred after the developers, hired under fake identities, pushed malicious code that facilitated the transfer of funds.
Internal theft
ZachXBT traced the stolen funds through a complex laundering process. The $1.3 million was first transferred to a theft address before being bridged from Solana to Ethereum via the deBridge platform.
The perpetrators then deposited 50.2 ETH into Tornado Cash, a well-known crypto mixer, to obscure the trail of the stolen funds. Finally, they transferred 16.5 ETH to two different exchanges.
The method is similar to tactics used by the notorious North Korean hacker group Lazarus.
Through his investigation, ZachXBT uncovered that these North Korean IT workers had been operating in over 25 different crypto projects since June 2024. These developers used multiple payment addresses, and ZachXBT identified a cluster of payments amounting to approximately $375,000 made to 21 developers within the last month alone.
Further analysis revealed that before this incident, $5.5 million had flowed into an exchange deposit address associated with payments received by North Korean IT workers between July 2023 and July 2024. These payments also showed connections to Sim Hyon Sop, a sanctioned individual by the US Office of Foreign Assets Control (OFAC).
Unusual patterns
ZachXBT’s investigation also uncovered unusual patterns and errors by the malicious actors, including IP overlaps between developers supposedly located in the US and Malaysia, and accidental leaks of alternate identities during a recorded session.
Some developers were placed by recruitment companies, and many projects employed three or more IT workers who referred each other.
In response to the discovery, ZachXBT has been reaching out to affected projects, urging them to review their logs and conduct more thorough background checks. He identified several indicators for teams to watch for, including developers referring each other for roles, discrepancies in work history, and suspiciously polished resumes or GitHub activity.
The case illustrates the ongoing vulnerabilities in the crypto industry, where even experienced teams can unknowingly hire malicious actors. ZachXBT’s findings suggest that a single entity in Asia could be receiving $300,000 to $500,000 per month by exploiting fake identities to secure work across multiple projects.