Key Takeaways:
- ZachXBT uncovered a North Korean operation where IT workers posing as crypto developers stole $1.3 million
- These developers generate up to $500,000 monthly, using laundering techniques to obscure stolen funds
In a shocking revelation, renowned cybersecurity expert ZachXBT has exposed a complex web of deception orchestrated by North Korean IT workers posing as crypto developers. This sophisticated scheme, which has infiltrated over 25 crypto projects, has led to the theft of $1.3 million from a project’s treasury
ZachXBT, who shared his findings with his 618,000 followers on X (formerly Twitter) on August 15, revealed that at least 21 developers linked to the Democratic People’s Republic of Korea (DPRK) are involved in this scam.
These developers, operating under fake identities, have been stealthily embedded within multiple crypto projects since June 2024, leveraging their positions to inject malicious code and siphon off funds.
The investigation uncovered that this single entity, likely based in North Korea, is amassing between $300,000 to $500,000 per month by infiltrating these projects.
The stolen funds are meticulously laundered through a complex series of transactions designed to obscure their origins. In the most recent incident, $1.3 million was funneled from a project’s treasury to a “theft address,” then bridged from Solana to Ethereum via the deBridge platform.
The attackers further muddied the waters by depositing 50.2 ETH into Tornado Cash, a notorious crypto mixer, and subsequently transferring 16.5 ETH to two different exchanges.
This latest heist is just the tip of the iceberg. ZachXBT’s research indicates that these DPRK-linked developers are part of a larger, well-coordinated network. In the past month alone, payments amounting to $375,000 were traced back to these developers, bringing the total laundered sum to a staggering $5.5 million from July 2023 to early 2024.
Some of these developers, while posing as residents of the U.S. and Malaysia, were found to be using Russian Telecom IPs, inadvertently revealing their true origins.
Despite the meticulous planning and execution of these schemes, not all organizations employing these developers are complicit. ZachXBT highlighted that some companies took immediate action upon discovering the true identities of these workers, emphasizing the need for vigilance and thorough vetting in the hiring process.
North Korea’s involvement in cybercrime, particularly in the crypto sector, is not new. The infamous Lazarus Group, a North Korean hacker collective, has reportedly stolen over $3 billion in crypto assets between 2017 and 2023.
The U.S. government has also issued warnings about the increasing presence of North Korean workers in freelance tech roles, particularly within the crypto industry. These latest revelations by ZachXBT serve as a stark reminder of the persistent and evolving threats posed by state-sponsored cybercriminals.
