- The most recent heist happened as a result of the developers—who were employed under false pretenses—pushing harmful code that enabled the money transfer.
ZachXBT, a crypto investigator, has revealed a complex scheme in which North Korean IT personnel broke into the development team of a project and stole $1.3 million from its funds.
After the developers—who had been hired under false pretenses—pushed harmful code that made the money transfer easier, the theft happened.
Internal larceny
ZachXBT used a convoluted money-laundering procedure to track down the pilfered monies. The $1.3 million was bridged from Solana to Ethereum using the deBridge software after initially being sent to a stolen address.
To hide the trail of the stolen money, the offenders subsequently transferred 50.2 ETH into Tornado Cash, a well-known cryptocurrency mixer. In the end, they moved 16.5 ETH to two distinct exchanges.
The technique is akin to that of the infamous North Korean hacking collective Lazarus.
ZachXBT discovered throughout his inquiry that since June 2024, these North Korean IT personnel have been involved in over 25 distinct cryptocurrency initiatives. ZachXBT discovered a cluster of payments totaling over $375,000 made to 21 developers in the last month alone. These developers used multiple payment addresses.
After more investigation, it was discovered that between July 2023 and July 2024, payments totaling $5.5 million had been made to an exchange deposit account linked to North Korean IT professionals. Additionally, these payments revealed ties to Sim Hyon Sop, a person the US Office of Foreign Assets Control (OFAC) has sanctioned.
Strange tendencies
ZachXBT’s investigation also revealed odd behavior and mistakes made by the bad actors, such as IP overlaps between engineers who were purportedly based in Malaysia and the US and unintentional disclosures of different identities during a videotaped session.
Recruitment firms placed a few developers, and multiple projects involved three or more IT workers who recommended one another.
ZachXBT has been contacting the impacted projects in reaction to the discovery, asking them to check their logs and carry out more extensive background checks. He listed a number of warning signs that companies should be aware of, such as when engineers recommend one another for jobs, when there are disparities in employment history, or when resumes or GitHub activity appear unusually polished.
The story serves as an example of the continuous weaknesses in the cryptocurrency sector, where even seasoned teams may inadvertently bring on bad actors. According to ZachXBT’s research, one company in Asia would be able to make between $300,000 and $500,000 a month by using fictitious identities to obtain contracts for a number of projects.
Disclaimer : This article was created for informational purposes only and should not be taken as investment advice. An asset’s past performance does not predict its future returns. Before making an investment, please conduct your own research, as digital assets like cryptocurrencies are highly risky and volatile financial instruments.
