North Korean hackers using fake identities targeted crypto firms, linked to $680K Favrr exploit and Kimsuky spy group.
Recently, a group of hackers conducted a counter-hack on suspected North Korean Operatives. The results from this counter-hack revealed how these North Korean operatives disguise themselves and infiltrate crypto firms before stealing funds.
The leaked data shows that a small team of North Korean IT workers used tools like fake IDs, rented computers and Google tools to secure jobs in the crypto sector.
Evidence also links them to the $680,000 hack of the Favrr fan-token marketplace in June.
North Korean Hackers’ Tactics and Infiltration Methods
According to on-chain sleuth Zach XBT, the exposed team consisted of six North Korean IT operatives. They shared at least 31 fake identities, complete with forged government IDs, LinkedIn profiles and freelance accounts on platforms like Upwork.
This allowed them to pose as blockchain developers and smart contract engineers to secure contracts with unsuspecting employers.
1/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects. pic.twitter.com/DEMv0GNM79
— ZachXBT (@zachxbt) August 13, 2025
One operative even interviewed for a full-stack engineering role at Polygon Labs, while others claimed to have experience with well-known crypto companies like OpenSea and Chainlink.
They even had pre-made scripts for interview responses to maintain their cover.
In addition, the team relied on VPNs to hide their locations and used remote access tools like AnyDesk to work from abroad. They stored schedules, budgets and communications in Google Drive and used Google Translate to switch between Korean and English.
Tied to $680,000 Favrr Hack
ZachXBT’s investigation linked one of the workers’ Payoneer accounts and wallet address “0x78e1a” directly to the Favrr exploit in June. At the time, Favrr’s CTO, “Alex Hong,” was suspected of being a disguised DPRK operative.
More insights from the counter-hack showed that the team spent around $1,489.8 in May on operational costs. These funds covered their services and the tools they used for their hacks.
Data collected from their online searches also showed that they had technical curiosity and often performed searches based on questions about ERC-20 token deployment on Solana.
Inside North Korean Kimsuky Spy Network
While ZachXBT focused on the freelance fraud angle, another leak featured evidence that Kimsuky, a North Korean government espionage group also known as APT43 and Thallium, might have been involved in this.
White-hat hackers Sabre and cyb0rg reportedly broke into a Kimsuky member’s computer and found evidence of a virtual machine, a virtual private server, email addresses, passwords and internal manuals.
According to the hackers, Kimsuky works with Chinese government hackers and even shares tools and techniques with them.
Political and Financial Motivations
Findings showed that Kimsuky is not just engaged in intelligence gathering. They also hack into crypto platforms to steal and launder funds.
According to previous reports, North Korean hackers often break in and launder funds. This is to support the country’s nuclear weapons program. Evidence of this was particularly glaring in the $1.4 billion Bitbit exchange hack in February. Besides, it was evident in other attacks on defi protocols over the last five years.
In all, ZachXBT warned crypto and tech companies to strengthen their vetting processes before employing smart contract developers.
He warned that while this particular North Korean hacking group may not be as skilled or experienced as others, they have the numbers to back up their efforts.
In all, the crypto sector is likely to remain a major target for these hackers if due diligence in the hiring process isn’t followed more strictly.
The post A North Korean Hacker Was Reverse Hacked, And Here’s What The Data Shows appeared first on Live Bitcoin News.
Source link
