Cybersecurity expert ZachXBTβs recent tweets indicate a sophisticated scheme where North Korean IT workers pose as crypto developers, leading to significant financial losses.
The operation resulted in the theft of $1.3 million from a project’s treasury and uncovered a network of over 25 compromised crypto projects active since June 2024. ZachXBTβs research suggests that a single entity in Asia, likely from North Korea, earns $300,000 to $500,000 monthly by working on multiple crypto projects using fake identities.
Theft and Laundering Scheme
The incident began when an anonymous team reached out to ZachXBT for help after $1.3 million was stolen from their treasury. They unknowingly hired North Korean IT workers with fake identities. The stolen funds were swiftly laundered through a series of transactions, including transferring to a theft address, bridging from Solana to Ethereum via deBridge, depositing 50.2 ETH to Tornado Cash, and ultimately transferring 16.5 ETH to two different exchanges.
Mapping the Network
Further investigation revealed that these malicious developers were part of a larger network. By tracking multiple payment addresses, the investigator identified a cluster of 21 developers who had received approximately $375,000 in the last month alone. The investigation also linked these activities to previous transactions totaling $5.5 million, which flowed into an exchange deposit address from July 2023 to 2024.
These payments were tied to North Korean IT workers and Sim Hyon Sop, a figure sanctioned by the Office of Foreign Assets Control (OFAC). Throughout the investigation, several concerning activities were uncovered, including Russian Telecom IP overlap among developers reportedly based in the US and Malaysia. Additionally, one developer accidentally exposed other identities while being recorded. Further investigations revealed that payment addresses were closely linked to those of OFAC-sanctioned individuals, such as Sang Man Kim and Sim Hyon Sop.
The involvement of recruitment companies in placing some developers added complexity to the situation. Several projects employed at least three North Korean IT workers who had referred each other.
Preventive Measures
ZachXBT highlighted that many experienced teams have inadvertently hired deceptive developers, so itβs not entirely fair to blame the teams. However, there are several measures teams can take to protect themselves in the future:
- Be cautious of developers who refer each other for roles.
- Scrutinize resumes and verify GitHub activity.
- Thoroughly verify KYC information.
- Ask detailed questions about developersβ claimed locations.
- Monitor for developers who are fired and then reappear under new accounts.
- Watch for a decline in performance over time.
- Regularly review logs for anomalies.
- Be cautious of developers using popular NFT profile pictures.
- Note potential language accents that could indicate origins in Asia.
Stay informed about the latest developments in the cryptocurrency world by exploring more news on Global Crypto News.