Connect with us
Active Currencies 17780
Market Cap $3,961,802,824,058.10
Bitcoin Share 59.73%
24h Market Cap Change $-3.13

North Korean hackers pose as IT staff, drain $1 mln from Web3 projects

3min Read

One click reopened the mint contract and one hour later, thousands of NFTs were dumped.

North Korean hackers pose as IT staff, drain $1 mln from Web3 projects
Share this article

  • Hackers posing as IT staff exploited NFT projects, stealing nearly $1 million.
  • North Korean-linked groups are behind 70% of the crypto thefts in 2025, including the $1.5 billion Bybit hack.

A new wave of crypto exploits has rocked the Web3 space, as hackers impersonating IT personnel successfully infiltrated multiple NFT collections tied to Pepe creator Matt Furie and made off with nearly $1 million in stolen assets.

Attacked Web3 projects and the losses incurred

According to on-chain analyst ZackXBT, these attackers gained insider access to projects like Favrr, Replicandy, and ChainSaw, among others, by posing as legitimate tech workers.

ZachXBT uncovers the hack

Source: ZachXBT/X

Once inside, they manipulated the NFT minting systems to generate large batches of tokens, offloaded them at scale, and triggered a collapse in market value.

The exploit not only drained funds but also destabilized the affected ecosystems, exposing serious vulnerabilities in internal access control and project security.

The timeline of the Replicandy exploit reveals a methodically executed breach, with strong indicators linking it to North Korean IT operatives.

How was the hack carried out?

On the 18th of June, ownership of the Replicandy contract was quietly transferred to a new address (0x9Fca), which later withdrew mint proceeds and resumed minting, eventually crashing the floor price by flooding the market with NFTs.

$310K+ from their projects was stolen

Source: ZachXBT/X

This pattern was once again repeated on the 23rd of June with additional collections, Peplicator, Hedz, and Zogz, causing further devaluation and losses totaling over $310,000.

On-chain analysis traced the stolen funds through multiple wallets, ultimately uncovering USDT deposits funneled to MEXC and identifying two suspicious GitHub developer accounts — ‘devmad119’ and ‘sujitb2114’, linked to the breach.

Internal logs further exposed inconsistencies, such as developers claiming to be U.S.-based while using Korean language settings, Asia/Russia time zones, and Astral VPNs.

These red flags strongly suggest the attackers were part of a coordinated North Korean campaign exploiting lax vetting procedures in Web3 hiring.

While the Favrr team responded swiftly with enhanced user safety measures, Chainsaw only issued a brief warning and later deleted it.

Favrr provides solution

Source: Favrr/X

On the other hand, Matt Furie has remained completely silent, hinting that the broader picture points to a far more troubling reality.

The rise of North Korean hackers

That being said, North Korean-linked hackers have become increasingly aggressive in 2025, with researchers attributing over $1.6 billion, roughly 70% of all stolen crypto this year, to state-affiliated groups.

The staggering $1.5 billion Bybit breach in February, now believed to be their work, stands as the largest crypto theft in history.

These actors, including the notorious Ruby Sleet group, have extended their reach beyond crypto, previously infiltrating U.S. defense contractors and now targeting IT firms through fake hiring campaigns and elaborate social engineering tactics.

In response to the growing wave of crypto-related fraud and security breaches, nations across the globe are stepping up regulatory safeguards.

In the United States, the Trump administration is actively advancing a series of pro-crypto policies designed to shield the industry from discriminatory banking practices and excessive regulatory pressure.

These include a pending executive order to prohibit financial institutions from targeting crypto firms, efforts to roll back SEC-imposed restrictions like SAB 121, and legislative support for frameworks such as the GENIUS Act to clarify rules for stablecoins and digital assets.

Meanwhile, Australia has moved swiftly to address crypto ATM misuse by capping cash transactions at AU$5,000, enforcing stricter identity checks, and requiring real-time scam warnings.

Together, these measures reflect a coordinated international shift toward a more secure and accountable Web3 environment.

Share
Ishika Kumari is a Crypto Analyst and Content Strategist at AMBCrypto, specializing in the analysis of cryptocurrency regulations, market trends, and the socio-political impact of blockchain technology. Her expertise is grounded in her academic background as a graduate of Political Science from the renowned University of Delhi. This discipline has equipped her with a sophisticated framework for analyzing complex governance models, international regulatory landscapes, and the economic principles that underpin decentralized systems. At AMBCrypto, Ishika applies this unique analytical lens to her work. She excels at breaking down intricate subjects—from the technicalities of new protocols to the nuances of global crypto legislation—into clear, accessible, and insightful content. Her primary mission is to bridge the gap between the complexity of the digital asset industry and the everyday reader, ensuring that AMBCrypto's audience is not just informed, but truly understands the forces shaping the future of finance.
Read the best crypto stories of the day in less than 5 minutes
Subscribe to get it daily in your inbox.
Please check the format of your first name and/or email address.
Thank you for subscribing to Unhashed.