A recent report from Cointelegraph has uncovered a group of North Korean IT workers who have been implicated in a $680,000 cryptocurrency theft in June. The leaked screenshots obtained by blockchain investigator ZachXBT reveal the intricate methods employed by these hackers to infiltrate legitimate projects and steal funds.
The group, consisting of just six individuals, has managed to create and control a network of 31 fake identities. These identities include forged government IDs, phone numbers, and even purchased LinkedIn and Upwork accounts. By posing as legitimate developers, they have successfully applied for roles in various crypto and blockchain projects.
One of the workers was even interviewed for a full-stack engineer position at Polygon Labs, while others fabricated past work experience with companies like OpenSea and Chainlink to appear credible. Once hired, they operated remotely through platforms like Upwork, using tools like AnyDesk and VPNs to access company systems while concealing their true locations.
Screenshots from their devices also revealed the group’s use of Google Drive, Chrome profiles, and a Korean-to-English translation tool to communicate and manage schedules. A spreadsheet detailing their monthly expenses further shed light on the costs associated with their illicit operations.
Interestingly, investigators were able to trace a Payoneer account linked to the group to a wallet address that was involved in the June 2025 hack of the fan-token marketplace Favrr, resulting in the theft of $680,000. This connection further solidified suspicions that some developers associated with Favrr were actually North Korean operatives using false identities.
Past operations linked to North Korean groups have resulted in significant cryptocurrency thefts, including a $1.4 billion exploit of the exchange Bitbit earlier this year. These hackers often masquerade as contractors or remote workers to gain access to sensitive information and funds.
ZachXBT emphasized the need for crypto and tech firms to implement more rigorous screening processes for hires, as the sheer volume of applications can sometimes lead to oversights in vetting. He also highlighted the lack of collaboration between tech companies and freelance platforms, which enables these groups to continue their illicit activities unchecked.
In response to the growing threat posed by state-backed cyber teams, the US Treasury recently sanctioned individuals and companies linked to a similar North Korean IT worker network in July. This move underscores the urgent need for tighter security measures to combat the infiltration of private companies by malicious actors.
As concerns over cryptocurrency scams and cyber attacks continue to rise, it is imperative for businesses to remain vigilant and implement robust security protocols to safeguard against potential threats. By staying informed and proactive, companies can protect their assets and maintain the integrity of the blockchain ecosystem.