A rare counter-hack has exposed the inner workings of a North Korean IT group responsible for a $680,000 crypto hack on fan-token platform Favrr in June 2025. Screenshots leaked from one worker’s device, shared by crypto researcher ZachXBT, show how the small team of six operates using 31 fake identities to infiltrate the cryptocurrency sector.
The data indicates these workers used stolen IDs, LinkedIn and Upwork accounts, and even rented computers to mask their true identities. Some impersonated professionals with experience at Polygon Labs, OpenSea, and Chainlink to secure full-stack and blockchain development roles.
Counter hack Methods and tools
The North Korean operatives relied on a combination of Google products, translation tools, and remote access software like AnyDesk to communicate with clients and execute tasks remotely. VPNs were used to obscure locations, and Google Drive spreadsheets revealed operational expenses of nearly $1,490 in May alone. Payments were often converted from fiat to crypto using Payoneer.
One wallet, labeled “0x78e1a,” is closely tied to the Favrr hack, and the team’s past exploits include the $1.4 billion Bitbit hack earlier in 2025. Searches on their devices also show curiosity about deploying ERC-20 tokens on Solana and top AI development firms in Europe, indicating a broader operational interest beyond simple theft.
Lessons for the crypto industry
ZachXBT emphasized that while many North Korean operations are not technically sophisticated, their high volume of applications can overwhelm hiring teams. He urged crypto and tech firms to increase scrutiny of freelance hires and collaborate more closely with platforms to prevent infiltration.
Regulators are taking action: last month, the U.S. Treasury sanctioned two individuals and four entities linked to North Korea-run IT rings targeting crypto companies.
This incident underlines the persistent threat posed by state-backed actors in the digital asset space and the importance of robust vetting procedures for crypto employment.