Cybersecurity expert ZachXBT recently revealed a complex crypto theft scheme involving North Korean IT workers masquerading as cryptocurrency developers. This operation resulted in a theft of $1.3 million from a project’s treasury and uncovered a network of over 25 compromised crypto projects that have been active since June 2024.Â
ZachXBT’s research indicates that a singular entity, likely based in North Korea, is earning between $300,000 to $500,000 monthly by collaborating on multiple projects under false identities.
Money Laundering and Crypto Theft SchemeÂ
The incident came to light when a previously anonymous team approached ZachXBT for assistance after discovering the $1.3 million theft from their treasury. Unbeknownst to them, they had inadvertently hired several North Korean IT workers who used fake identities to infiltrate their operation. The funds were quickly laundered through a series of transactions, which included sending the money to a theft address, bridging from Solana to Ethereum via the deBridge protocol, depositing 50.2 ETH into Tornado Cash, and ultimately splitting 16.5 ETH between two different exchanges.
Mapping the Malicious NetworkÂ
Further investigation uncovered a larger network of malicious developers. By tracing multiple payment addresses, ZachXBT identified a group of 21 developers who received around $375,000 in the last month. Additionally, these activities were linked to prior transactions totalling $5.5 million that flowed into an exchange deposit address between July 2023 and 2024. Most of these deals were connected to North Korean IT experts, and among them is Sim Hyon Sop, who the OFAC blacklists. Notably, the investigation also revealed sharing of IP addresses from Russian telecommunications by the developers who appeared to be based in the U.S and Malaysia. One developer made more accounts public by mistake while performing tasks during a live stream.
Preventive Measures for Crypto ProjectsÂ
Advertisement Banner
ZachXBT emphasised that many reputable teams have unknowingly hired deceptive developers, and thus it’s unjust to place all the blame on them. To safeguard against such infiltrations in the future, teams can adopt several preventive strategies. These include being wary of developers who refer each other for positions, thoroughly checking resumes, extensively verifying Know Your Customer (KYC) information, posing detailed questions about claimed locations, monitoring for developers whose performance declines over time, reviewing logs regularly for inconsistencies, and being suspicious of developers using popular NFT profile pictures, as well as noting any accents that might suggest origins in Asia.
How the Crypto Theft Was ExecutedÂ
According to ZachXBT, the individuals behind this crypto theft scheme utilised various deceptive tactics to avoid detection. They established interconnected networks, where developers referred colleagues for roles, thus creating a guise of legitimacy. They successfully infiltrated various crypto projects by crafting convincingly fictitious resumes and GitHub profiles. Additionally, they provided forged identification during KYC processes, which was designed to be a crucial security step but was easily bypassed due to their duplicity.
ZachXBT urged projects within the crypto industry to look for any signs that infiltration compromised them. Hiring more developers from the same network should be a red flag. Some of these are inconsistencies in the claimed location and actual accent, sharp dip in work quality, and multiple account creations within a short span of time once the previous account was terminated. The scale of this crypto theft is incredible; the approximate monthly profit of a single subject from Asia is between $300,000 and $500,000 while performing more than 25 projects daily. The effects that the decision has on the financial aspect of cryptocurrencies are tremendous.
Previous North Korean Cyber Theft ActivitiesÂ
North Korea appears to be more involved in the crypto theft than before. This is not the first such incident, evident from the UN’s annual report, which even came across 58 cyberattacks proposed to be associated with North Korea since 2017. These attacks are mainly directed towards cryptocurrency services and are used to fund nuclear and ballistic missile programs of the regime. The UN report reveals North Korea continues to engage in illicit activities, including smuggling of oil products, arms trafficking and exporting labour overseas to evade the UN sanctions. A letter leaked to the UN showed North Korea had laundered $147.5 million in stolen cryptocurrencies via the Tornado Cash mixer.
The recent crypto theft development that North Korean cybercriminals have used Tornado Cash for money laundering makes it challenging for the authorities to handle the situation amid the recent arrest of the platform co-founder Alexey Pertsev. These issues could have dire consequences on the legal processes involving the platform.
Â
The price predictions and financial analysis presented on this website are for informational purposes only and do not constitute financial, investment, or trading advice. While we strive to provide accurate and up-to-date information, the volatile nature of cryptocurrency markets means that prices can fluctuate significantly and unpredictably.
You should conduct your own research and consult with a qualified financial advisor before making any investment decisions. The Bit Journal does not guarantee the accuracy, completeness, or reliability of any information provided in the price predictions, and we will not be held liable for any losses incurred as a result of relying on this information.
Investing in cryptocurrencies carries risks, including the risk of significant losses. Always invest responsibly and within your means.
