Suspected North Korean hackers infiltrate team long-term, Blast-verified project Munchables hacked for $60 million.

Table of Contents

Munchables Hacked for $60 Million

Web3 game platform Munchables, based on Blast, announced in a tweet at 5:37 a.m. on the 27th that the platform had been hacked. The official team is currently tracking the movement of funds and attempting to stop transactions. More information will be updated as soon as available.

Following the incident, Munchables only released this tweet.

Crypto detective ZachXBT promptly revealed the hacker's address 0x…9c5 under the tweet, indicating that the wallet contained 17,411 ETH, valued at up to $62.94 million, making it the largest hack of the year so far.

Exploiter address 17.4K ETH ($62.5M)

0x6e8836f050a315611208a5cd7e228701563d09c5

— ZachXBT (@zachxbt) March 26, 2024

Munchables Suspected of Employing North Korean Hackers

ZachXBT stated that Munchables fell victim to the hack due to the employment of North Korean developers.

He pointed out that the developer with the Github ID Werewolves0493 was the culprit.

Another Incident Involving Blast

SlowMist founder Yu Xian also referenced ZachXBT's investigation, stating that this was the second similar event:

North Korean hackers disguised as core developers and infiltrated the team for a long time, gaining the trust of the entire team, and struck when the time was right... mercilessly. SlowMist will closely follow the progress of the incident.

Blast 上的这个协议 Munchables 被盗 6250 万美金，损失真大了。按 @zachxbt 的调查是因为他们的一位开发者是朝鲜黑客…这是我们遇到的至少第二起 DeFi 类项目遭遇的这类情况了。核心开发者伪装潜伏很久，获得整个 team 的信任，时机一到就下手了…毫不留情。

受害者恐怕不少，我们会紧密跟进。 https://t.co/bsVpIXnJV8 pic.twitter.com/ONOGYXRRUF

— Cos(余弦)😶‍🌫️ (@evilcos) March 27, 2024

Munchables was previously selected as a winning project in the Blast ecosystem competition "Big Bang" as shown below. This marks another incident involving a project recommended by Blast officials following the previous exit scam of RiskOnBlast.

First Rug Pull Incident on Blast: Gaming project RiskOnBlast absconds with funds, deletes all social accounts

Update: Munchables Developers Return Private Keys

Blast founder Pacman revealed in a post on the afternoon of the 27th that the "former" Munchables developer had returned all funds and did not request any ransom.

He believes that this incident is a learning opportunity for all development teams to take preventive measures to safeguard security more thoroughly. Blast is assisting the Munchables team in returning funds to users, and more detailed information will be announced later.

He also specifically mentioned researchers Paradigm and ZachXBT for their assistance in this matter.

$97m has been secured in a multisig by Blast core contributors. Took an incredible lift in the background but I’m grateful the ex munchables dev opted to return all funds in the end without any ransom required. @_munchables_ and protocols integrating with it like @juice_finance…

— Pacman | Blur + Blast (@PacmanBlur) March 27, 2024