ZACHXBT Exposes DPRK Hacker Network Targeting Meme Tokens: $1M+ Stolen
- How Are North Korean Hackers Targeting Meme Tokens?
- Which Projects Have Been Compromised?
- What Tactics Are These Hackers Using?
- How Extensive Is This Hacker Network?
- What's the Historical Context of These Attacks?
- How Can Projects Protect Themselves?
- What's Next for Meme Token Security?
- FAQ Section
Blockchain investigator ZACHXBT has uncovered a North Korean hacker group infiltrating meme token projects on ethereum and Solana, with losses exceeding $1 million. The attackers pose as blockchain developers to gain access, exploiting projects like those linked to Pepe creator Matt Furie. This report details their tactics, affected projects, and the growing threat to decentralized finance.
How Are North Korean Hackers Targeting Meme Tokens?
Recent investigations reveal a sophisticated operation by DPRK-linked hackers targeting vulnerable meme token projects. These attackers are:
- Posing as blockchain developers to get hired by projects
- Exploiting newly launched tokens with weaker security
- Using aged social media accounts to appear legitimate
- Offering "developer tools" that contain hidden exploits
The BTCC analytics team notes this represents an evolution from previous Web3 attacks, where hackers focused more on direct protocol exploits rather than long-term infiltration.
Which Projects Have Been Compromised?
The attack cluster has impacted several notable projects:
| Project | Chain | Losses | Connection |
|---|---|---|---|
| FAVVR | Solana | $680,000 | CTO Alex Hong suspected |
| Chainsaw NFT | Ethereum | $220,000 | Pepe-related artwork |
| Multiple pump.fun tokens | Multiple | $100k+ | Funds laundering scheme |
ZACHXBT's June 27, 2025 thread showed how one hacker "dent" was hired by FAVVR before the exploit occurred. The project's CTO subsequently deleted his LinkedIn and went silent on social media.
What Tactics Are These Hackers Using?
The operation employs multiple sophisticated approaches:
- Developer Impersonation: Using polished GitHub profiles with contributed code
- Social Engineering: Leveraging aged Twitter accounts (some 5+ years old)
- Tool Distribution: Sharing "helpful" trading bots and token creators with backdoors
- Team Infiltration: Getting hired for remote blockchain positions
One hacker even bragged about placing a team member in a Canadian project facilitator position, showing their long-term planning.
How Extensive Is This Hacker Network?
Evidence suggests a coordinated group with:
- 30+ identified GitHub profiles
- 15+ active Twitter accounts
- Presence across 5+ blockchains (Ethereum, Solana, BSC, etc.)
- Fake freelance profiles on Upwork and Fiverr
The BTCC research team warns this may represent just the visible portion of their operation, with more sophisticated attacks likely underway.
What's the Historical Context of These Attacks?
This isn't North Korea's first crypto rodeo. The Lazarus Group has stolen billions in crypto assets since 2017, but their meme token focus is new. Key developments:
- 2021: First DeFi protocol exploits
- 2023: Shift toward NFT projects
- 2024: Initial meme token testing
- 2025: Full-scale developer infiltration
The current attacks show refined social engineering tactics compared to earlier brute-force hacks.
How Can Projects Protect Themselves?
Security experts recommend:
- Thorough vetting of all developers (verify commit history)
- Multi-sig wallets for all treasuries
- Delayed fund access for new team members
- Third-party audits of all contributed code
As one BTCC analyst noted, "If a developer's Twitter was created in 2018 but only became active last month, that's a huge red flag."
What's Next for Meme Token Security?
The crypto community faces an evolving threat:
- More sophisticated social engineering expected
- Potential expansion to other token categories
- Possible regulatory scrutiny of small-cap projects
- Need for better developer verification tools
With losses already exceeding $1 million, this may just be the beginning of a larger campaign.
FAQ Section
How did ZACHXBT discover these attacks?
Through blockchain tracing that connected multiple exploit wallets to developer profiles with North Korean ties.
Are major exchanges like BTCC affected?
No, the attacks target token projects directly rather than exchanges.
What should I do if I hold affected tokens?
Check project announcements and consider moving to cold storage if possible.
How can I verify developer backgrounds?
Look for consistent activity histories and verify real-world identities when possible.
Is this connected to previous Lazarus Group attacks?
While not confirmed, the tactics show similarities to known North Korean operations.
