Someone Counter-Hacked a North Korean IT Worker: Here’s What They Found
A team of North Korean IT operatives behind 31 fake identities has been linked to the $680,000 hack of fan-token marketplace Favrr in June. This recent discovery sheds light on the sophisticated methods used by these cyber threat actors, who have been responsible for numerous high-profile crypto hacks in the past.
The $1.4 Billion Exploit of Crypto Exchange Bitbit
In February, North Korean-linked workers were involved in a $1.4 billion exploit of crypto exchange Bitbit. This breach highlights the significant threat posed by these cyber threat actors to the global financial system.
These workers have siphoned millions from crypto protocols over the years, demonstrating their expertise and resources. Their ability to blend in with legitimate companies and individuals makes them formidable opponents for law enforcement agencies and cybersecurity teams.
The Fake Identities: A Web of Deception
A small team of six North Korean IT workers shares at least 31 fake identities, which they use to obtain government IDs, phone numbers, LinkedIn accounts, and UpWork credentials. These fabricated personas allow them to mask their true identities and land crypto jobs.
One worker supposedly interviewed for a full-stack engineer position at Polygon Labs, while another claimed experience at NFT marketplace OpenSea and blockchain oracle provider Chainlink. This level of deception underscores the sophistication of these cyber threat actors.
The Leaked Documents: A Glimpse into Their Operations
Leaked documents reveal that the North Korean IT workers secured "blockchain developer" and "smart contract engineer" roles on freelance platforms like Upwork. They used remote access software like AnyDesk to carry out work for unsuspecting employers, hiding their locations behind VPNs.
Google Drive exports and Chrome profiles showed they used Google tools to manage schedules, tasks, and budgets, communicating in English while using Google's Korean-to-English translation tool. One spreadsheet revealed that the IT workers spent a combined $1,489.8 on expenses in May to carry out their operations.
The Payoneer Wallet: A Link to the $680,000 Hack
One of the wallet addresses used by the North Koreans, “0x78e1a,” is "closely tied" to the $680,000 exploit on fan-token marketplace Favrr in June 2025. This connection highlights the importance of monitoring suspicious activity and conducting thorough due diligence.
A Call to Action: Crypto Firms Must Do More Due Diligence
ZachXBT, a crypto sleuth, called on crypto and tech firms to do more homework on potential hires, noting that many of these operations aren't highly sophisticated, but the volume of applications often leads to hiring teams becoming negligent.
He also emphasized the need for collaboration between tech firms and freelance platforms to prevent such breaches in the future. As the threat landscape continues to evolve, it's essential for companies to stay vigilant and proactive in protecting themselves against these types of cyber attacks.