Crypto Con Artists Strike Again: Fake IT ‘Experts’ Swipe $1M in NFT Heist – ZackXBT Exposes Scam
Another day, another seven-figure crypto scam—only this time, the thieves came dressed as tech support.
Fake insiders posing as IT specialists drained $1 million from unsuspecting NFT holders, according to blockchain sleuth ZackXBT. The elaborate ruse preyed on trust—and the eternal hope that someone, somewhere, actually knows how to fix a MetaMask error.
How the Heist Went Down
The fraudsters masqueraded as white-hat developers, offering ‘urgent security upgrades’ to high-value NFT collectors. Victims handed over wallet access—only to watch their Bored Apes and CryptoPunks vanish faster than a memecoin’s liquidity.
Security Theater Meets Web3
While DeFi protocols battle flash loan attacks, old-school social engineering still works wonders. The scammers bypassed 2FA, exploited ‘helpful’ DMs, and turned gas fees into exit liquidity. Classic.
Just in case anyone needed reminding: In crypto, the ‘experts’ are often the ones holding the drainer scripts. Stay paranoid out there.
NFT: Hackers Slip Into Web3 Teams
Based on reports, the group quietly joined development squads under false identities. They gained insider access to minting contracts. Then they minted thousands of tokens and NFTs in moments.
The sudden flood crushed floor prices and let the thieves grab hot cash in minutes. It all unfolded in under a week, and about $1 million vanished from these projects’ treasuries.
1/ Multiple projects tied to Pepe creator Matt Furie & ChainSaw as well as another project Favrr were exploited in the past week which resulted in ~$1M stolen
My analysis links both attacks to the same cluster of DPRK IT workers who were likely accidentally hired as developers. pic.twitter.com/85JRm5kLQO
— ZachXBT (@zachxbt) June 27, 2025
Mass Minting Drops Prices
Favrr suffered one of the biggest hits. The thieves dumped tokens so fast the market couldn’t catch up. Replicandy and ChainSaw saw similar moves. At Replicandy, floor values hit zero almost instantly.
ChainSaw’s stolen crypto still sits inactive in wallets, waiting for launderers to stir it back into exchanges. ZackXBT pointed out that nested services then further obscured the money trail.
4/ In total I estimate $310K+ from their projects was stolen and transferred primarily between the three address below.
0xf6a9349c54d51f7f76bbd2afd755b5dd75e617ee 0x7e580f916a8e93871b72a694407fb7d790de96a6 0x58f4299465b261e79713e5c78a7629cd656aed36 pic.twitter.com/8noeV48MUY
— ZachXBT (@zachxbt) June 27, 2025
Funds Trace And Freeze ChallengesOnchain transfers moved funds through multiple exchanges and wallets. Analysts say tracing mixed outputs can take weeks. Exchanges must review huge logs.
That slows or even blocks law enforcement from locking down accounts. In the Coinbase data leak back in May 2025, about 69,461 customers had personal info exposed.
Contractors were bribed to hand over user data, leading to an extortion bid against the exchange.
The NFT/Web3 insider episode echoes Ruby Sleet’s tactics. In November 2024, that group targeted aerospace and defense firms, then shifted to IT companies via fake hiring drives.
They used social engineering to plant malware and harvest credentials. Today’s blockchain and NFT hacks show that open and irreversible ledgers magnify mistakes. When insiders gain privileges, there’s often no undo button.
Security experts warn teams to rethink trust models. Zero‑trust approaches limit each engineer’s reach. Multi‑party approval gates could block sudden minting spikes.
Real‑time activity monitors can flag odd behavior right away. And code reviews paired with identity checks for every new hire help close gaps before they’re abused.
Featured image from Vecteezy, chart from TradingView
