North Korean IT workers used 30+ fake IDs to target crypto companies: report

2025/08/14 16:09

A compromised device from a North Korean IT worker has exposed the inner workings of the team behind the $680,000 Favrr hack and their use of Google tools to target crypto projects.

Summary

A compromised device belonging to a North Korean IT worker exposed the inner workings of threat actors.
Evidence shows operatives used Google powered tools, AnyDesk, and VPNs to infiltrate crypto firms.

According to on-chain sleuth ZachXBT, the trail began with an unnamed source who gained access to one of the workers’ computers, uncovering screenshots, Google Drive exports, and Chrome profiles that pulled back the curtain on how the operatives planned and carried out their schemes.

Drawing on wallet activity and matching digital fingerprints, ZachXBT verified the source material and tied the group’s cryptocurrency dealings to the June 2025 exploit of the fan-token marketplace Favrr. One wallet address, “0x78e1a,” showed direct links to stolen funds from the incident.

Inside the operation

The compromised device showed that the small team — six members in total — shared at least 31 fake identities. To land blockchain development jobs, they amassed government-issued IDs and phone numbers, even buying LinkedIn and Upwork accounts to complete their cover.

An interview script found on the device showed them boasting of experience at well-known blockchain firms, including Polygon Labs, OpenSea, and Chainlink.

Google tools were central to their organized workflow. The threat actors were found to be using drive spreadsheets to track budgets and schedules, while Google Translate bridged the language gap between Korean and English.

Among the information pulled from the device was a spreadsheet that showed IT workers were renting computers and paying for VPN access to buy fresh accounts for their operations.

The team also relied on remote access tools such as AnyDesk, allowing them to control client systems without revealing their true locations. VPN logs tied their activity to multiple regions, masking North Korean IP addresses.

Additional findings revealed the group looking up ways to deploy tokens across different blockchains, scouting AI firms in Europe, and mapping out fresh targets in the crypto space.

North Korean threat actors use remote jobs

ZachXBT found the same pattern flagged in multiple cybersecurity reports — North Korean IT workers landing legitimate remote jobs to slip into the crypto sector. By posing as freelance developers, they gain access to code repositories, backend systems, and wallet infrastructure.

One document uncovered on the device was interview notes and preparation materials likely meant to be kept on-screen or nearby during calls with potential employers.

Aviso legal: Los artículos republicados en este sitio provienen de plataformas públicas y se ofrecen únicamente con fines informativos. No reflejan necesariamente la opinión de MEXC. Todos los derechos pertenecen a los autores originales. Si consideras que algún contenido infringe derechos de terceros, comunícate con service@support.mexc.com para solicitar su eliminación. MEXC no garantiza la exactitud, la integridad ni la actualidad del contenido y no se responsabiliza por acciones tomadas en función de la información proporcionada. El contenido no constituye asesoría financiera, legal ni profesional, ni debe interpretarse como recomendación o respaldo por parte de MEXC.