<img src="https://crypto.news/app/uploads/2024/07/crypto-news-North-Koreas-digital-infiltration-option02.webp” />
Recent tweets from cybersecurity expert ZachXBT suggest that a sophisticated scheme is underway involving North Korean IT workers posing as cryptocurrency developers.
He x.com/zachxbt/status/1824047425822310580″ target=”_blank” rel=””>operation led to the theft of $1.3 million from a project’s treasury and exposed a network of over 25 compromised crypto projects active since June 2024.
ZachXBT research strongly suggests that a single entity in Asia, likely operating out of North Korea, is receiving between $300,000 and $500,000 per month by simultaneously working on over 25 crypto projects using fake identities.
<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter“>
The theft and money laundering scheme
The incident began when a team that remained anonymous contacted ZachXBT for help after $1.3 million was stolen from their treasury. Unbeknownst to them, they had hired several North Korean IT workers who used fake identities to infiltrate the team.
The stolen funds, totaling $1.3 million, were quickly laundered through a sequence of transactions, including transferring to a stolen address, bridging (SOL) to ethereum (eth) via deBridge, depositing 50.2 eth into Tornado Cash, and ultimately transferring 16.5 eth to two different exchanges.
Network mapping
Further investigation revealed that the malicious developers were part of a larger network. By tracing multiple payment addresses, the researcher traced a group of 21 developers who had received x.com/zachxbt/status/1824047425822310580″ target=”_blank” rel=””>approximately $375,000 Just in the last month.
The investigation also linked these activities to previous transactions totaling $5.5 million, which flowed to a stock exchange deposit address between July 2023 and 2024.
These payments x.com/zachxbt/status/1824047465827602550″ target=”_blank” rel=””>were linked North Korean IT workers and Sim Hyon Sop, a figure sanctioned by the Office of Foreign Assets Control (OFAC). Throughout the investigation, several troubling activities came to light, including instances of overlapping Russian telecom IP between developers purportedly based in the United States and Malaysia.
Additionally, one developer accidentally exposed other identities while being recorded. Further investigation revealed that the payment addresses were closely linked to those of OFAC-sanctioned individuals, including Sang Man Kim and Sim Hyon Sop.
The situation was further complicated by the involvement of recruitment companies in the placement of some developers. In addition, several projects employed at least three North Korean IT workers who had recommended each other.
Preventive measures
ZachXBT x.com/zachxbt/status/1824047480121729425″ target=”_blank” rel=””>pointed out Many experienced teams have unwittingly hired deceitful developers, so it's not entirely fair to blame teams. However, there are several steps teams can take to protect themselves in the future.
These measures include being wary of developers who recommend each other for positions, scrutinizing resumes, thoroughly checking KYC information, asking detailed questions about developers’ declared locations, monitoring developers who are fired and then reappear with new accounts, watching for a decline in performance over time, periodically reviewing logs for anomalies, being wary of developers who use popular nft profile images, and taking note of potential linguistic accents that could indicate origins in Asia.
<script async src="//platform.twitter.com/widgets.js” charset=”utf-8″>
