article 🕵️‍♂️💻 Inside a Counter-Hack on North Korean IT Workers: What Was Discovered 🔐🌍

Please Register !

Overview

A North Korean IT group, operating under at least 31 fake identities, has been tied to the $680,000 hack of the fan-token marketplace Favrr in June 2025.

Leaked screenshots from one of the workers’ devices revealed how the team infiltrated crypto projects — using Google services, rented computers, VPNs, and freelance platforms to mask their true identities.

The findings were first made public by blockchain investigator ZachXTB, who shared details from a source that managed to compromise one of the hackers’ machines.

Please Register !

What the Counter-Hack Revealed

• A team of just six North Korean operatives managed to control at least 31 fake personas.

• They acquired forged IDs, phone numbers, LinkedIn and UpWork accounts to pose as international developers.

• Some even faked job interviews with big firms — one tried to land a full-stack role at Polygon Labs, while others claimed fake past work experience at OpenSea and Chainlink.

• Pre-written interview scripts were found on their devices, showing carefully staged answers.

🛠 Tools & Tactics Used

A leaked spreadsheet showed they spent $1,489.80 in May on operational costs, including accounts, tools, and proxies.

Please Register !

The $680,000 Crypto Heist

Evidence connected one of their wallets (0x78e1a) directly to the Favrr exploit, which drained $680,000 in June 2025.

In fact, these workers frequently use Payoneer to move money from fiat into crypto, making tracking more difficult.

At the time, ZachXBT suggested that Favrr’s chief technology officer “Alex Hong” and other developers were North Korean operatives in disguise.

Please Register !

What They Were Researching

Interestingly, the data also showed their learning interests:

• Could ERC-20 tokens be launched on Solana?

• Who are the leading AI companies in Europe?

This suggests they are constantly probing new technologies to expand their tactics.

Please Register !

Why Companies Need to Be Careful

ZachXBT emphasized that crypto and tech firms must do more due diligence when hiring.

• Many of these infiltrations are not highly sophisticated.

• The problem arises because of the sheer number of job applications, making vetting harder.

• Lack of cooperation between tech companies and freelance platforms creates gaps for these actors to slip through.

Just last month, the US Treasury sanctioned two individuals and four entities tied to this North Korean IT worker network.

Please Register !

Key Takeaways for Crypto Firms

• Please Register !

  Always verify job applicants’ work history and credentials.

• Please Register !

  Watch for suspicious overlaps in identities (same skills, different names).

• Please Register !

  Strengthen collaboration with freelance platforms to spot fake accounts.

• Please Register !

  Assume attackers are constantly adapting — from crypto protocols to AI.