Close Menu
    Donate
    North Korean IT Workers in DeFi Scam
    Crypto

    Uncovering North Korean IT Workers in DeFi Scam

    No Comments5 Mins Read

    In decentralized finance (DeFi), unfortunately scams and malicious actors can be constant threats. ZachXBT, known for his investigative work in uncovering crypto fraud, has once again exposed a massive, under-the-radar operation that had the audacity to infiltrate 25+ crypto projects. This time, the operation wasn’t merely a phishing scam or rug pull; it involved a sophisticated network of North Korean IT workers using fake identities to siphon millions from project treasuries.

    The Incident: A $1.3M Heist

    The drama unfolded when a team reached out to ZachXBT after $1.3M vanished from their treasury due to malicious code that had been pushed by their developers. Upon investigating, ZachXBT discovered that the team had unknowingly hired multiple North Korean IT workers disguised as developers with fake identities. These devs were no amateurs. They managed to exploit their trusted roles within the project to orchestrate the theft, leading to the following laundering scheme:

    1. Transfer $1.3M to a theft address
      (Address: 6USfQ9BX33LNvuR44TXr8XKzyEgervPcF4QtZZfWMnet)
    2. Bridge $1.3M from Solana to Ethereum via deBridge
    3. Deposit 50.2 ETH to Tornado Cash, a notorious Ethereum mixer
    4. Transfer 16.5 ETH to two separate exchanges

    But this wasn’t an isolated case. The investigation quickly grew as Zach uncovered an entire network of developers with ties to North Korea’s sanctioned entities, siphoning funds and working across multiple crypto projects.

    The Larger Network: 25+ Crypto Projects at Risk

    Further investigation revealed a more extensive operation that had been running since June 2024. ZachXBT managed to map out a cluster of payment addresses tied to 21 developers who were part of the same network. This cluster had processed around $375K in payments over the previous month.

    Through this network of DPRK-linked developers, over $5.5M had flowed into exchange deposit addresses between July 2023 and 2024. Among the names connected to these payments was Sim Hyon Sop, a figure under OFAC (Office of Foreign Assets Control) sanctions for his role in North Korea’s cyber activities.

    Funny But Disturbing Moments: Accidental Leaks and IP Overlaps

    While the investigation was a serious matter, it wasn’t without its moments of dark humor. For example, one of the devs accidentally leaked their multiple identities while being recorded, revealing the tangled web of fake personas. Additionally, ZachXBT found amusing overlaps in IP addresses: the devs supposedly based in the U.S. and Malaysia were actually using Russian Telecom services.

    More disturbingly, Zach discovered that the payment addresses of several of these devs were just a few hops away from notorious names like Sang Man Kim and Sim Hyon Sop, both under OFAC sanctions for their roles in North Korea’s malicious cyber activities.

    How Did They Do It?

    These devs didn’t merely worm their way into a single project, but they were operating across multiple projects at once. The use of recruitment agencies helped place them into teams where they could exert influence and move funds. ZachXBT’s research uncovered that some of these developers were involved in more than 25 crypto projects simultaneously, raking in between $300K and $500K per month by using fake identities.

    Spotting the Red Flags: How to Protect Your Project

    As the crypto space grows, so does the complexity and sophistication of attacks. ZachXBT outlined a few tell-tale signs that teams should look out for when hiring developers, especially given this recent infiltration:

    1. Referral Networks: Be wary if a dev is highly recommended by other devs who all seem to know each other. These groups often refer one another into new roles to keep their network intact.
    2. Too Good to Be True Resumes: Excellent GitHub activity and attractive resumes are often masks for shady work histories. Don’t just rely on surface-level activity—ask probing questions.
    3. KYC with Fake IDs: These devs are often willing to submit to KYC (Know Your Customer) checks, but they submit fake identification in hopes that teams won’t dig deeper.
    4. Location Inconsistencies: Ask specific questions about the location they claim to be from. Fake identities often fail to hold up under close scrutiny.
    5. Swift Replacements: If one dev gets fired, another account might pop up almost immediately, claiming to be a new hire. This could be an indication of the same network trying to maintain control.
    6. Performance Declines: While these devs might initially perform well, they tend to underperform once embedded in the project, often after the first round of payments has been sent.
    7. Common Interests: They may have popular NFT profile pictures, often as part of a ruse to blend in with the broader crypto community.
    8. Accents and Communication Styles: While not definitive, many of these devs have a discernible Asian accent when communicating on calls, which could be a further indicator.

    No Conspiracy, Just Hard Facts

    If you’re one of the skeptics who think attributing every crypto scam to North Korea is a conspiracy, ZachXBT’s research proves otherwise. The evidence points to a single entity in Asia receiving between $300K and $500K per month by working at 25+ projects concurrently, all under fake identities.

    This operation showcases the growing threat that nation-state actors, particularly those from North Korea, pose to the decentralized finance sector. They are not just stealing crypto through hacks and phishing attacks but are now embedding themselves within projects to extract funds directly from the inside.

    Vigilance is Key

    ZachXBT’s latest investigation is a stark reminder of the dangers lurking in the DeFi space. As decentralized projects continue to innovate and grow, so too will the sophistication of bad actors looking to exploit the system. This case highlights the need for stricter vetting processes, enhanced due diligence, and continuous monitoring within the crypto community.

    The line between legitimate developer and cybercriminal is thinner than ever, and teams must remain vigilant to ensure they don’t become the next victim in a growing web of crypto fraud.

    Author Profile

    c7ad6c547054f980bcd19e9c00c237949fd2df960f3bb02742ca08bd0e2a2ba0?s=100&d=mm&r=g
    what the finance
    I have been writing articles about finance, the stock market and wealth management since 2008. I have worked as an analyst, fund manager and as a junior trader in 7 different institutions.
    Share.

    Related Posts

    Add A Comment
    Leave A Reply