Thomas Daniels

Published On: 16/08/2024
Share it!
North Korean IT Workers Linked to $1.3M Crypto Theft: ZachXBT Exposes Scheme
By Published On: 16/08/2024
North Korea

Recent findings by cybersecurity expert ZachXBT have uncovered a sophisticated theft and laundering scheme involving North Korean IT workers posing as crypto developers. The operation, which led to the theft of $1.3 million from a project’s treasury, has exposed a network of over 25 compromised crypto projects active since June 2024.

ZachXBT’s investigation points to a single entity, likely operating out of North Korea, that has been receiving between $300,000 and $500,000 monthly by simultaneously infiltrating multiple crypto projects using fake identities.

The Theft and Laundering Scheme

The incident came to light when an anonymous project team sought ZachXBT’s assistance after $1.3 million was stolen from their treasury. Unaware, the team had hired multiple North Korean IT workers who used fake identities to join the project.

The stolen funds were quickly laundered through a series of complex transactions. These included transferring the funds to a theft address, bridging assets from Solana to Ethereum via deBridge, depositing 50.2 ETH into Tornado Cash, and eventually transferring 16.5 ETH to two different exchanges.

Mapping the Network

Further investigation revealed that these developers were part of a larger, organized network. ZachXBT traced multiple payment addresses, uncovering a cluster of 21 developers who collectively received approximately $375,000 in the past month alone.

This investigation also linked the current activities to previous transactions amounting to $5.5 million, which were funneled into an exchange deposit address between July 2023 and 2024. These transactions were connected to North Korean IT workers and Sim Hyon Sop, a figure already sanctioned by the U.S. Treasury’s Office of Foreign Assets Control (OFAC). The investigation revealed concerning overlaps in IP addresses associated with Russian Telecom, even though the developers claimed to be based in the U.S. and Malaysia.

In one case, a developer inadvertently exposed other identities while being recorded, leading to further connections between payment addresses and OFAC-sanctioned individuals, including Sang Man Kim and Sim Hyon Sop. The investigation also highlighted the role of recruitment companies in placing these developers, adding another layer of complexity. Some projects employed at least three North Korean IT workers who referred each other, deepening the network’s infiltration.

Preventive Measures

ZachXBT emphasized that many experienced teams have unknowingly hired deceptive developers, making it unfair to solely blame the teams. However, there are several preventive measures that can help protect against such threats. These include:

  • Exercising caution when developers refer each other for roles.
  • Scrutinizing resumes and verifying KYC information thoroughly.
  • Asking detailed questions about developers’ claimed locations.
  • Monitoring for developers who reappear under new accounts after being fired.
  • Watching for a decline in performance over time.
  • Regularly reviewing logs for anomalies.
  • Being cautious of developers using popular NFT profile pictures.
  • Noting language accents that might suggest origins in Asia.

These steps are crucial for safeguarding crypto projects against similar threats in the future.

source