ZachXBT exposes North Korean hacker crime network, pretending to be a developer infiltrating teams to embezzle money: earning $500,000 per month
1/ Recently a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed.
Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities.
I then uncovered 25+ crypto projects with… pic.twitter.com/W7SgY97Rd8
Online detective ZachXBT's latest tweet reveals that he has discovered a hacker crime network composed of 21 North Korean developers who participated in and stole funds from dozens of crypto projects, allegedly earning illicit income of up to $500,000 per month.
Table of Contents
ZachXBT Exposes North Korean Hacker Criminal Network
Zach first stated that an entity located in Asia and possibly originating from North Korea has employed at least 21 employees to infiltrate over 25 crypto projects using false identities. When the time is right, they steal the team's funds and disappear, estimated to earn between $300,000 to $500,000 per month.
Fraud and Money Laundering Process
He revealed that while investigating a hacked project, he discovered a clever and familiar money trail, using dedicated theft addresses, coin mixers, and two exchanges for intricate money laundering.
However, after tracking multiple addresses, he uncovered a larger-scale money laundering network:
These developers have received $375,000 in the past month, with a total inflow of $5.5 million since July last year.
Zach emphasized that this money ultimately flowed to two individuals sanctioned by the U.S. Office of Foreign Assets Control (OFAC), "Sim Hyon Sop" and "Sang Man Kim," who are allegedly associated with North Korea's cybercrime and military programs.
Developers Pretend to Apply for Positions
At the same time, Zach also pointed out their infiltration methods, gaining trust from project parties through fake KYC IDs or impressive work experiences, then absconding with the funds:
Some developers claim to be from the U.S. or Malaysia but were found to have conversations originating from Russian IPs.
He added, "Many experienced teams unknowingly hire these developers from North Korea, all of whom have falsified their identities."
ZachXBT Reminder: The Deeper the Questions, the Better
In response, Zach subtly reminded teams to be more cautious of the following personnel:
- Applicants seem to know each other, and there may even be cases of mutual recommendations.
- Impressive GitHub or resumes, but vague responses to previous work experiences.
- Agree to KYC but provide fake IDs.
- Unclear about details of the country they claim to be from, teams should inquire carefully to confirm.
- Initially performing well but gradually declining in performance.
- One person gets fired, and another account immediately applies for the position.
- Prefer using popular NFTs as avatars.
EvilCos: Teams Should Be Cautious of North Korean Developer Infiltration
Yu Xian, founder of the cybersecurity team SlowMist, also quoted ZachXBT's tweet, stating:
They recommend each other for employment, linger for a long time, have good technical skills, your company operates well, fattens them up, and then closes the net.
He added, "This kind of thing is no longer new, unfortunately, there will always be new tricks."
Rampant North Korean Hacker Crime
There is a continuous rise in cybercrimes related to North Korea, including the notorious hacker group Lazarus, which has orchestrated numerous cyber attacks and scams in the past, including phishing attacks, protocol vulnerabilities, and personnel infiltration.
Previously listed large-scale cyber attacks committed by Lazarus included victims such as the gaming platform Stake.com and the exchange CoinEx, with losses exceeding hundreds of millions of dollars.
Currently, there are hacker incidents related to North Korea this year but it is not yet confirmed if they are the work of Lazarus:
- March: Gaming platform Munchables on Blast was self-hacked by developers, resulting in a loss of around $62.5 million.
- May: Japanese exchange DMM Bitcoin was hacked, resulting in a loss of approximately $305 million.
- July: Indian exchange WazirX was hacked, resulting in a loss of about $235 million.
All the work of North Korean hackers? Elliptic analyzes WazirX was attacked by North Korean hackers, and was the three hundred million dollars from DMM also?
In February of this year, the United Nations also expressed a stern attitude, emphasizing that North Korean hackers are stealing funds through a large number of cyber attacks to fund the country's nuclear program, with criminal proceeds exceeding $3 billion in the past seven years.
United Nations Report: North Korea Steals Cryptocurrency Through Hacking, Raising $3 Billion for Nuclear Development
Related
- Inventory of Hacking Incidents in the First Half of 2024: Losses Amounted to $1.38 Billion, Doubled from the Same Period Last Year
- Phishing Scam Backfires! Criminal Tool Pink Drainer Falls into Zero-U Address Poison Trap, 10ETH Disappears
- Hacker steals 5 million RMB in 15 minutes: OKX exchange security vulnerability triggers user panic