North Korean IT hackers infiltrate encryption project insider information exposed! ZachXBT reveals: a team of 5 forged over 30 identifications, and a $680,000 vulnerability may be attributed to them.

Renowned on-chain detective ZachXBT has released a blockbuster investigative report, revealing that personnel from the Democratic People’s Republic of Korea (DPRK) have infiltrated the crypto assets industry through systematic identity fraud. A 5-member hacker team used forged documents to purchase Upwork/LinkedIn premium accounts, applying for development positions under false identities to gain sensitive project access. Anonymous sources successfully hacked their devices, exposing operational details and associated wallets, with one address surprisingly linked to the $680,000 vulnerability attack on the Favrr protocol in June 2025. The report reveals the massive operation model and funding links of their “virtual identity factory”, sounding the alarm for the security of crypto projects.

[Depth] Penetration: Factory for Forging [Identification] Fully Exposed

• Fake Identity Network: This North Korean team created over 30 fake identities (such as “Henry Zhang”), using forged government IDs to purchase professional job platform certified accounts (Upwork, LinkedIn), successfully infiltrating multiple Crypto Assets project development teams.
• Complete Toolchain: Leaked financial statements show that its systematic procurement of crime tools includes: US Social Security Number (SSN), high-reputation job accounts, phone numbers, AI subscription services, cloud computer rentals, high-end VPN/proxy networks (for masking geographical location).
• Operation Details Disclosure: Anonymous sources infiltrated their devices to obtain key data such as Google Drive and Chrome configuration files. The team used AnyDesk remote control in conjunction with a VPN to accurately simulate their geographical location; internal Telegram group chats discussed job placements and salary payments (received using an ERC-20 Wallet).
• Clear Objective: The document includes a meeting schedule for a specific Crypto Assets project and a detailed script for maintaining a false identification, aimed at obtaining project code repository (GitHub) and internal system access.

[Key Evidence: On-chain Address Directs to $680,000 Attack]

• Wallet Association: The ZachXBT tracking team commonly used ERC-20 wallet address (0x78e1…), which is directly linked to the $680,000 vulnerability attack on the Favrr protocol in June 2025.
• Identification Confirmed: This attack has been attributed to the project’s CTO and some developers— it is now confirmed that these “technical backbones” are actually North Korean IT personnel using false identities.
• Industry Shock: This discovery prompted several crypto projects to conduct urgent self-checks, with some projects confirming that North Korean operatives had infiltrated their development teams or decision-making bodies.

[Source Confirmation: Digital Footprint Locks in North Korean Background] Despite the community’s doubts about the source of personnel, ZachXBT provided solid evidence:

1. Language traces: The browser history shows a large number of Google Translate records from Korean to English.
2. Physical Location: All activities are conducted through Russian IP addresses, in line with the typical pattern of overseas operations by North Korean IT personnel.
3. Fraudulent Documents: A large number of forged government IDs and professional certification documents.

[Industry Response: Security Vulnerabilities and Defense Challenges]

• Recruitment Vulnerabilities Highlighted: The community criticizes that some projects have missing Background Check ( and have shown defensive behavior upon receiving security alerts. Shaun Potts, founder of the crypto recruitment agency Plexus, pointed out: “This is an inherent operational risk in the industry, akin to hacker attacks that cannot be completely eradicated, but the risks can be mitigated.”
• Security Threat Escalation: The incident exposed the huge hidden dangers in code access permission management of crypto assets projects, and many teams may not be aware of who has actually accessed their core codebase.
• Success rate of identification varies: Some platforms (such as the exchange Kraken in May 2025) successfully identified and intercepted North Korean disguised job seekers, but more projects have become victims of such APT (Advanced Persistent Threat) attacks.

[Related Case: North Korean Hacker’s “Remote Work” Scam]

• Job Scams: In January 2025, similar tactics were used in SMS scams targeting residents of New York, luring victims to deposit USDT/USDC under the guise of “remote work assistance,” stealing $2.2 million in Crypto Assets.
• Funds Seizure: In June 2025, U.S. authorities seized over 7.7 million dollars in Crypto Assets, alleging that it was the income of North Korean IT personnel disguised as freelancers, with the revenue ultimately flowing into the North Korean government.

[Conclusion: The Alarm of Crypto Security in the War of Virtual Identities] ZachXBT’s investigation report has revealed a crack in the infiltration of the crypto assets industry by North Korean state-sponsored hacker organizations. The sophisticated “virtual identification factory” and mature job fraud chain they have constructed are no longer individual acts but rather a systematic supply chain attack ) Supply Chain Attack (. The associated wallets point to major vulnerability attack incidents, proving that their targets are not only to steal wages but also to seize the opportunity to launch larger-scale hacker operations. This incident has sounded the highest level of security alarm for all crypto assets projects:

1. Strengthen identification verification: Strict multi-factor authentication and background checks must be implemented, especially for remote technical positions.
2. Least Privilege: Strictly control access permissions to the codebase and key systems, and conduct regular audits.
3. Threat Awareness Enhancement: The industry needs to share threat intelligence to improve the ability to identify hacker organizations in the context of geopolitics.
4. Regulatory Cooperation: To respond to such national-level threats, it is necessary to strengthen international law enforcement cooperation and cut off the funding chain.

When code is wealth, who is writing your code? This has become the core issue determining the life and death of crypto projects.