Onchain sleuth ZachXBT recently unveiled that a group of IT workers posing as blockchain developers are using fake identities and working on dozens of crypto projects. They are allegedly from North Korea.
ZachXBT revealed that a team recently reached out to him after $1.3 million was siphoned from the treasury after malicious code had been pushed.
The stolen funds were laundered via a sequence of transactions. That included sending them to a “theft address.” Over 16.5 ETH was ultimately sent to different exchanges.
The onchain detector pointed out that these developers are part of a much more expansive network. Notably, a cluster of developers received $375,000 over the past month. Previous transactions summed up to $5.5 million. They flowed into an exchange.
ZachXBT revealed that these payments were then associated with IT workers in North Korea. Alongside, he also established its ties with Sim Hyon Sop, an illicit financier who has been sanctioned by the Office of Foreign Assets Control (OFAC).
Alongside, he uncovered other payment addresses associated with Sang Man Kim — another OFAC-sanctioned individual — and also found Russian Telecom IP overlaps among developers who claimed to be based in the US and Malaysia. At least one of the workers “accidentally leaked their other identities on a notepad.”
Some developers were also placed by recruitment agencies. Given the references they received, “a number of experienced teams” have time and again hired them. The onchain sleuth asserted,
“This research proves: A single entity in Asia is receiving $300K - $500k / month from working at 25+ projects at once by using fake identities.”
Right after ZachXBT uncovered this, another project realized that they had hired one of the so-called IT workers. When notified on the group, the North Korean immediately exited the chat and wiped his Github.
North Koreans developers are infamous for successfully pulling off crypto hacks. Every now and then when a mishap happens within the industry, they are suspected as culprits.
WazirX’s recent security breach was linked to North Korean hackers. Likewise, the $600 million Ronin Bridge hack — the largest in DeFi history — was also associated with notorious Korean hacking group Lazarus.
