Blockchain investigator ZachXBT has recently brought to light a case involving North Korean developers who managed to steal $1.3 million from a project’s treasury. These developers, using fake identities, inserted malicious code into the system, enabling them to make unauthorized transfers of funds. The stolen money, amounting to 50.2 ETH, was sent to a theft address, then moved from Solana to Ethereum via the deBridge platform. To further conceal their tracks, the funds were run through Tornado Cash, a crypto mixer, before being split and transferred to two different exchanges.
According to ZachXBT’s findings, North Korean IT workers have infiltrated more than 25 crypto projects since June 2024, using various payment addresses. It is believed that a single entity in Asia, likely based in North Korea, is receiving between $300,000 to $500,000 monthly. This entity employs at least 21 workers across different crypto projects. Prior to this particular incident, $5.5 million had been funneled into an exchange deposit address associated with payments to North Korean IT workers from July 2023 to July 2024. These payments have been traced back to Sim Hyon Sop, an individual sanctioned by the US Office of Foreign Assets Control (OFAC).
ZachXBT’s investigation revealed several key mistakes and unusual behaviors exhibited by the malicious actors. These included IP address overlaps between developers seemingly situated in the US and Malaysia, as well as accidental leaks of alternative identities during recorded sessions. Following the breach, ZachXBT recommended that affected projects thoroughly inspect their logs and conduct more thorough background checks. He also highlighted specific warning signs for teams to be wary of, such as referrals from unknown developers, inconsistencies in work history, and overly polished resumes or GitHub profiles.
North Korea has long been associated with cybercrime, with various groups linked to the country engaging in phishing scams, exploiting software vulnerabilities, unauthorized system access, private key theft, and physical infiltration of organizations. The Lazarus Group, one of the most notorious North Korean hacking entities, is believed to have stolen over $3 billion in cryptocurrency between 2017 and 2023. In 2022, the US government issued a warning about the increasing number of North Korean individuals taking up freelance tech roles, particularly within the crypto sector.
The case of the North Korean developers who stole $1.3 million serves as a stark reminder of the ongoing threat posed by malicious actors operating within the cryptocurrency space. It underscores the importance of maintaining robust security measures and vigilance against potential infiltrators, especially those with a history of cybercrime.
Leave a Reply