Blockchain investigator ZachXBT has uncovered a major exploit affecting various NFT projects associated with Pepe creator Matt Furie, linking the incident to a group of suspected North Korean IT workers. The attacks resulted in a loss of over $1 million across multiple platforms, including ChainSaw-related projects Replicandy and Peplicator, with approximately $310,000 stolen from these projects alone.
According to ZachXBT’s analysis, the attackers gained control of smart contract ownership, utilized the minting function to create new NFTs, and sold them off through bids, causing the floor prices of the impacted collections to plummet to zero.
The exploit commenced on June 18, 2025, when the ownership of Replicandy was transferred to an externally owned address (EOA) identified as 0x9Fca, followed by a withdrawal of funds from the contract on the same day. The attacker proceeded to mint and dump NFTs on the market the following day, and on June 23, assumed control over Peplicator, Hedz, and Zogz contracts, all linked to Matt Furie and ChainSaw.
Funds stolen from the ChainSaw-related projects were traced through three wallets, and some of the ETH was converted and transferred to MEXC, a centralized exchange. ZachXBT’s investigation revealed repeated stablecoin transfers to one deposit address at MEXC, indicating a broader utilization of the same network of IT workers across multiple crypto projects.
Further scrutiny uncovered GitHub accounts associated with the suspected attackers, with one developer claiming to be based in the U.S. displaying Korean language settings, using Astral VPN, and operating in Asia/Russia time zones, strongly suggesting ties to North Korea. The lack of transparency from Matt Furie and ChainSaw post-incident was also highlighted, with stolen funds from the ChainSaw exploit remaining untouched and Favrr funds being funneled through Gate.io and other channels.
In a broader context, the rise of North Korean IT worker schemes in the crypto space has raised concerns, with the U.S. Department of Justice recently filing a civil forfeiture complaint to seize $7.7 million in crypto allegedly earned by North Korean IT operatives posing as remote freelancers. These workers channeled their earnings back to the North Korean regime, supporting illicit activities and bypassing sanctions.
The evolving tactics of North Korean-linked actors, such as the Lazarus Group, pose a significant threat to the crypto industry, with recent incidents indicating a shift towards targeted malware attacks like PylangGhost. As these cyber threats continue to escalate, vigilance and enhanced security measures are imperative for crypto startups, especially within the meme coin and NFT communities.