Blockchain investigator ZachXBT recently uncovered a case involving North Korean developers who reportedly stole $1.3 million from a project’s treasury. These developers, hired under false identities, inserted malicious code into the system, enabling them to make an unauthorized transfer of funds. The stolen money was first sent to a theft address, then moved from Solana to Ethereum through the deBridge platform. Subsequently, 50.2 ETH was deposited into Tornado Cash, a crypto mixer that conceals transaction trails, followed by the transfer of 16.5 ETH to two different exchanges.
ZachXBT’s investigation revealed that North Korean IT workers have infiltrated more than 25 crypto projects since June 2024. It is suspected that a single entity based in Asia, potentially in North Korea, might be receiving between $300,000 to $500,000 monthly while employing at least 21 workers across various crypto projects. Prior to this incident, $5.5 million had been funneled into an exchange deposit address associated with payments to North Korean IT workers from July 2023 to July 2024. These payments were traced back to Sim Hyon Sop, an individual sanctioned by the US Office of Foreign Assets Control (OFAC).
The investigation identified several irregularities and mistakes made by the malicious actors. These included IP overlaps among developers purportedly located in the US and Malaysia, as well as inadvertent disclosures of alternative identities during recorded sessions. Following the discovery, ZackXBT advised affected projects to examine their logs thoroughly and conduct more rigorous background checks. He also highlighted warning signs that teams should watch out for, such as referrals for positions from other developers, inconsistencies in work history, and overly polished resumes or GitHub profiles.
Organizations linked to North Korea, like the infamous Lazarus Group, have a long history of involvement in cybercrime. Their tactics range from phishing scams and exploiting software vulnerabilities to unauthorized system access, private key theft, and even physical infiltration of organizations. The Lazarus Group alone is believed to have stolen over $3 billion in crypto assets from 2017 to 2023. In 2022, the US government issued a warning about the increasing number of North Korean individuals entering freelance tech roles, particularly within the crypto sector.
This alarming trend underscores the importance of heightened security measures and vigilance within the crypto community to protect against such malicious activities. Vigorous background checks, thorough monitoring of project contributors, and enhanced security protocols are essential to safeguarding the integrity of crypto projects and preventing financial losses due to cybercrime.
Leave a Reply