Counter-Hack Exposes North Korean IT Workers Behind $680K Crypto Theft
A rare leak from inside a North Korean hacking operation has shed light on how a small team of operatives infiltrates crypto projects, using fake identities, freelance platforms, and everyday tech tools to carry out multimillion-dollar heists.
The six-member team, linked to the $680,000 June 2025 hack of fan-token marketplace Favrr, was exposed after an unnamed source compromised one of their devices. Screenshots shared by blockchain investigator ZachXBT revealed their methods, spending habits, and infiltration strategies.
Fake Identities and Job Infiltration
The team operated under at least 31 fake identities, complete with forged government IDs, phone numbers, and purchased LinkedIn and Upwork accounts. These personas were used to secure roles such as “blockchain developer” and “smart contract engineer” on freelance platforms.
Evidence showed that one operative even interviewed for a full-stack engineer position at Polygon Labs, while others claimed fake experience at OpenSea and Chainlink. To execute their work, they relied on AnyDesk for remote access, VPNs to mask their location, and Payoneer to convert fiat into crypto.
Google Tools and Operational Costs
The hackers extensively used Google Drive, Chrome profiles, and Google Translate to manage schedules, budgets, and communications — primarily in English. A leaked spreadsheet revealed the group spent $1,489.80 in May on operational expenses.
Link to the Favrr Exploit
ZachXBT identified a wallet address (“0x78e1a”) closely tied to the Favrr hack, which saw $680,000 in crypto stolen. At the time, he alleged that Favrr’s CTO “Alex Hong” and several developers were actually North Korean operatives working under false identities.
8/ The 0x78e1 address is closely tied onchain to the recent $680K Favrr exploit from June 2025 where their CTO and other devs turned out to be DPRK ITWs with fraudulent documents.
Additional DPRK ITWs were identified at projects from the 0x78e1 address. https://t.co/BPZmFo8n5d pic.twitter.com/DcQnvNetxY
— ZachXBT (@zachxbt) August 13, 2025
The same group has been connected to other major exploits, including the $1.4 billion Bitbit exchange hack in February 2025, as well as numerous thefts from DeFi protocols.
Broader Threat and Industry Response
Leaked searches from their devices showed curiosity about blockchain interoperability (“Can ERC-20 tokens be deployed on Solana?”) and global AI companies — suggesting a broad scope of interest beyond crypto theft.
ZachXBT urged crypto and tech companies to strengthen due diligence when hiring remote workers, noting that many DPRK-linked operations are not highly advanced but succeed due to high application volumes and weak screening.
Last month, the U.S. Treasury sanctioned two individuals and four entities for running a North Korea-based IT worker ring targeting cryptocurrency firms.
This rewrite keeps the investigative tone while making the flow sharper and easier to follow for an English-speaking crypto audience.
Do you also want me to prepare a satirical-style thumbnail image (1792×1024) showing “North Korean hackers getting hacked back”? That would fit perfectly with this story.
