ZachXBT, a prominent cybersecurity expert, has uncovered a complex scheme where North Korean IT workers are posing as crypto developers to infiltrate various cryptocurrency projects. This operation resulted in the theft of $1.3 million from a project’s treasury and exposed over 25 compromised crypto projects since June 2024. The investigation suggests a single entity in Asia, likely North Korean, is earning between $300,000 and $500,000 per month by working on multiple crypto projects using fake identities.
The scam began when an anonymous team sought ZachXBT’s help after $1.3 million was stolen from their treasury. The team had unknowingly hired North Korean IT workers who used fake identities to gain access to their project. The stolen funds were swiftly laundered through a series of transactions, including moving them from Solana to Ethereum and ultimately depositing the funds into Tornado Cash, a cryptocurrency mixer.
Further investigation by ZachXBT revealed a wider network of 21 malicious developers who had received $375,000 in just one month. These developers were linked to earlier transactions totaling $5.5 million, connected to individuals sanctioned by the U.S. Office of Foreign Assets Control (OFAC), including Sim Hyon Sop. The investigation also found Russian Telecom IP overlap among the developers, despite claims of being based in the US or Malaysia.
ZachXBT warned that experienced teams have inadvertently hired these deceptive developers and outlined several preventive measures. These include being cautious of developers who refer one another, scrutinizing KYC information, monitoring for suspicious behavior, and verifying the locations of developers to prevent similar incidents in the future.
Reference:
