A compromised device from a North Korean IT worker has revealed the intricate workings of the team responsible for the $680,000 Favrr hack and their utilization of Google tools to target crypto projects.
According to on-chain investigator ZachXBT, the investigation commenced with an undisclosed source who accessed one of the workers’ computers, unveiling screenshots, Google Drive exports, and Chrome profiles that unveiled the operatives’ strategies and execution of their plans.
Through wallet activity and digital fingerprints, ZachXBT authenticated the source material and connected the group’s cryptocurrency transactions to the June 2025 breach of the fan-token marketplace Favrr. One wallet address, “0x78e1a,” was identified as directly linked to the misappropriated funds from the incident.
The compromised device disclosed that the team, consisting of six members, utilized at least 31 fake identities. To secure blockchain development opportunities, they collected government-issued IDs and phone numbers, even purchasing LinkedIn and Upwork accounts to solidify their cover.
An interview script discovered on the device showcased their exaggerated experience at prominent blockchain companies, including Polygon Labs, OpenSea, and Chainlink.
Google tools played a pivotal role in their systematic workflow. The threat actors employed drive spreadsheets for budget and schedule tracking, while Google Translate facilitated communication between Korean and English.
A spreadsheet retrieved from the device indicated that IT workers were renting computers and acquiring VPN access to procure fresh accounts for their operations.
The team also relied on remote access tools like AnyDesk, enabling them to manage client systems covertly. VPN logs indicated their activities in various regions, concealing their North Korean IP addresses.
Further findings exposed the group’s research on deploying tokens across diverse blockchains, scouting AI companies in Europe, and identifying new targets within the crypto industry.
ZachXBT identified a recurring pattern highlighted in numerous cybersecurity reports — North Korean IT workers securing legitimate remote positions to infiltrate the crypto sector. By masquerading as freelance developers, they gain entry to code repositories, backend systems, and wallet infrastructure.
One document discovered on the device contained interview notes and preparation materials likely intended for reference during discussions with potential employers.