Highlights:
- ZachXBT revealed North Korean developers are making $300,000-$500,000 monthly using fake identities.
- $1.3 million was stolen and laundered via Tornado Cash.
- North Korean IT workers infiltrated over 25 crypto projects since June 2024.
Blockchain investigator ZachXBT revealed that a network of North Korean developers is reportedly earning between $300,000 and $500,000 a month by working on over 25 established” crypto projects.” On August 15, ZachXBT shared his findings on X with his 618,000 followers, revealing the involvement of at least 21 IT workers from the Democratic People’s Republic of Korea (DPRK).
Advertisement
North Korean Developers Linked to $1.3M Crypto Theft
The incident started when an anonymous team sought ZachXBT’s help after $1.3 million was stolen from their treasury. They had unknowingly hired several North Korean IT workers who used fake identities to infiltrate the team. The $1.3 million was initially transferred to a theft address, then bridged from Solana to Ethereum using the deBridge platform.
The perpetrators deposited 50.2 ETH into Tornado Cash, a well-known crypto mixer, to obscure the stolen funds’ trail. They then transferred 16.5 ETH to two different exchanges. This method mirrors tactics used by the notorious North Korean hacker group Lazarus.
ZachXBT’s investigation revealed that North Korean IT workers have been involved in over 25 different crypto projects since June 2024. These developers used multiple payment addresses, with ZachXBT identifying a cluster of payments totalling around $375,000 made to 21 developers within just the last month.
1/ Recently a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed.
Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities.
I then uncovered 25+ crypto projects with… pic.twitter.com/W7SgY97Rd8
— ZachXBT (@zachxbt) August 15, 2024
Further analysis uncovered that $5.5 million had been deposited into an exchange address between July 2023 and July 2024. These payments were linked to North Korean IT workers and individuals sanctioned by the US Office of Foreign Assets Control (OFAC), such as Sang Man Kim and Sim Hyon Sop, both known for their involvement in DPRK-related cybercrime.
US law enforcement suspects Kim pays salaries to family members of Chinyong’s overseas DPRK worker delegations. He is also receiving $2 million in cryptocurrency for selling IT equipment to DPRK-affiliated teams in China and Russia.
Unusual Patterns and Red Flags in Crypto Hiring
ZachXBT’s investigation revealed unusual patterns and errors by the malicious actors. This included IP overlaps between developers supposedly located in the US and Malaysia, as well as accidental leaks of alternate identities during a recorded session.
Some developers were hired through recruitment companies, and many projects employed three or more IT workers who referred each other. In response, ZachXBT has contacted the affected projects, urging them to review their logs and conduct more thorough background checks.
ZachXBT noted that many experienced teams have inadvertently hired deceptive developers, so blaming the teams entirely is unfair. However, there are several steps teams can take to protect themselves in the future. These measures include being cautious of developers who refer each other for roles and scrutinizing resumes.
Teams should thoroughly verify KYC information, ask detailed questions about claimed locations, and monitor for developers who are fired and then reappear under new accounts. Additionally, teams should watch for declines in performance, regularly review logs for anomalies, be wary of developers using popular NFT profile pictures, and note potential language accents that might suggest origins in Asia.
Advertisement
