North Korean Workers Tied To $1.3M Crypto Theft: ZachXBT

Cybersecurity expert ZachXBT’s recent tweets suggest a sophisticated scheme involving North Korean IT workers posing as crypto developers is taking place.

The operation led to the theft of $1.3 million from a project’s treasury and exposed a network of over 25 compromised crypto projects active since June 2024.

ZachXBT’s research strongly suggests that a single entity in Asia, likely operating out of North Korea, is receiving $300,000 to $500,000 per month by working simultaneously on over 25 crypto projects using fake identities. 

The theft and laundering scheme

The incident began when a publicly anonymous team reached out to ZachXBT for help after $1.3 million was stolen from their treasury. Unbeknownst to them, they had hired multiple North Korean IT workers who used fake identities to infiltrate the team.

The stolen funds, totaling $1.3 million, were quickly laundered through a sequence of transactions, including transferring to a theft address, bridging from (SOL) to Ethereum (ETH) via deBridge, depositing 50.2 ETH to Tornado Cash, and ultimately transferring 16.5 ETH to two different exchanges.

Mapping the network

Further investigation revealed that the malicious developers were part of a larger network. By tracking multiple payment addresses, the investigator mapped out a cluster of 21 developers who had received approximately $375,000 in the last month alone.

The investigation also connected these activities to previous transactions totaling $5.5 million, which flowed into an exchange deposit address from July 2023 to 2024. 

These payments were linked to North Korean IT workers and Sim Hyon Sop, a figure sanctioned by the Office of Foreign Assets Control (OFAC). Throughout the investigation, several concerning activities came to light, including instances of Russian Telecom IP overlap among developers who were reportedly based in the US and Malaysia.

Additionally, one developer accidentally exposed other identities while being recorded. Further investigations revealed that payment addresses were closely linked to those of OFAC-sanctioned individuals, such as Sang Man Kim and Sim Hyon Sop. 

The involvement of recruitment companies in placing some developers added complexity to the situation. Additionally, several projects employed at least three North Korean IT workers who had referred each other.

Preventive measures

ZachXBT pointed out that many experienced teams have inadvertently hired deceptive developers, so it’s not entirely fair to blame the teams. However, there are several measures that teams can take to protect themselves in the future. 

These measures include being cautious of developers who refer each other for roles, scrutinizing resumes, thoroughly verifying KYC information, asking detailed questions about developers’ claimed locations, monitoring for developers who are fired and then reappear under new accounts, watching for a decline in performance over time, regularly reviewing logs for anomalies, being cautious of developers using popular NFT profile pictures, and noting potential language accents that could indicate origins in Asia.

RECENT NEWS

Ether Surges 16% Amid Speculation Of US ETF Approval

New York, USA – Ether, the second-largest cryptocurrency by market capitalization, experienced a significant surge of ... Read more

BlackRock And The Institutional Embrace Of Bitcoin

BlackRock’s strategic shift towards becoming the world’s largest Bitcoin fund marks a pivotal moment in the financia... Read more

Robinhood Faces Regulatory Scrutiny: SEC Threatens Lawsuit Over Crypto Business

Robinhood, the prominent retail brokerage platform, finds itself in the regulatory spotlight as the Securities and Excha... Read more

Ethereum Lags Behind Bitcoin But Is Expected To Reach $14K, Boosting RCOF To New High

Ethereum struggles to keep up with Bitcoin, but experts predict a rise to $14K, driving RCOF to new highs with AI tools.... Read more

Ripple Mints Another $10.5M RLUSD, Launch This Month?

Ripple has made notable progress in the rollout of its stablecoin, RLUSD, with a recent minting of 10.5… Read more

Bitcoin Miner MARA Acquires Another $551M BTC, Whats Next?

Bitcoin mining firm Marathon Digital Holdings (MARA) has announced a significant milestone in its BTC acquisition strate... Read more