Pepe Creator Projects Lose $1M in North Korean IT Worker Exploit—ZachXBT Exposes Attack

Another day, another crypto heist—this time with a geopolitical twist. The team behind the viral Pepe meme coin just got hit by a $1 million exploit, and blockchain sleuth ZachXBT traces it straight to North Korean IT operatives.

How’d they pull it off? Details are still emerging, but early signs point to a sophisticated social engineering play. The attackers reportedly bypassed standard security protocols, leaving devs scrambling to patch vulnerabilities.

This isn’t your average DeFi hack. The involvement of state-linked actors raises the stakes—and questions about whether meme coins are now targets for nation-state cyber warfare. Meanwhile, the ‘anonymous’ dev team promises reimbursements (funds are ‘safu,’ they insist).

Cynical take: At least the hackers didn’t dump the tokens—Pepe’s chart has enough volatility without adding exit scams to the mix.

North Korean Network Suspected in $680K Crypto Heist, NFT Exploit, and Developer Infiltration

In a post shared on X, ZachXBT explained that the attackers gained control of smart contract ownership, used the minting function to generate new NFTs, and sold them into bids. This action caused the floor prices of the affected collections to crash to zero.

The exploit began on June 18, 2025, when ownership of Replicandy was transferred to an externally owned address (EOA), identified as 0x9Fca. Later that same day, funds were withdrawn from the contract.

1/ Multiple projects tied to PEPE creator Matt Furie & ChainSaw as well as another project Favrr were exploited in the past week which resulted in ~$1M stolen

My analysis links both attacks to the same cluster of DPRK IT workers who were likely accidentally hired as developers. pic.twitter.com/85JRm5kLQO

The attacker resumed the minting process the following morning, minting and dumping NFTs on the market. A few days later, on June 23, the same address assumed control over Peplicator, Hedz, and Zogz contracts, projects also tied to Matt Furie and ChainSaw.

Funds stolen from the ChainSaw-related projects were traced through three wallets. Some of the ETH was later converted and transferred to MEXC, a centralized exchange.

ZachXBT noted that one deposit address at MEXC had received repeated stablecoin transfers over several months, ranging between $2,000 and $10,000, suggesting broader use of the same IT worker network across multiple crypto projects.

Further investigation uncovered GitHub accounts linked to the suspected attackers. According to ZachXBT, one developer who claimed to be based in the U.S. had Korean language settings, used Astral VPN, and operated in Asia/Russia time zones, red flags pointing to North Korean links. Internal logs and payroll connections added more weight to the claims.

Another affected project, Favrr, reportedly lost more than $680,000 on June 25. One of its developers, identified as Alex Hong, is suspected of being a North Korean IT worker. His LinkedIn profile was recently deleted, and efforts to verify his past work experience failed.

ZachXBT said, “The Favrr CTO appears suspicious and is likely one of the two DPRK ITWs hired.”

“The situation is depressing,” ZachXBT added, “because many teams hire DPRK IT workers when basic due diligence could’ve prevented it.”

He also criticized the lack of transparency from Matt Furie and ChainSaw since the incident. According to him, their only public warning to the community was deleted without explanation. Most of the stolen funds from the ChainSaw exploit remain unmoved.

Meanwhile, the Favrr funds were funneled through Gate.io and other channels.

ZachXBT said he plans to release broader statistics soon, highlighting how widespread payments to suspected North Korean workers have become in the crypto space.

North Korean IT Worker Scheme Tied to Ongoing Crypto Exploits as U.S. Seizes $7.7M in Laundered Funds

On June 6, the U.S. Department of Justice filed a civil forfeiture complaint to seize $7.7 million in crypto allegedly earned by North Korean IT operatives posing as remote freelancers.

The US is moving to seize $7.7M in crypto linked to North Korean IT workers who allegedly laundered funds via fake freelance gigs.#DOJ #CryptoEnforcement https://t.co/7iKHNodaBL

These workers secured positions at blockchain firms and funneled earnings, often paid in stablecoins like USDC and USDT, back to the North Korean regime, bypassing U.S. sanctions.

Authorities said the operation supports North Korea’s weapons program and was orchestrated through fake identities, sophisticated laundering tactics, and shell companies.

One named figure is Sim Hyon Sop, previously indicted in 2023, with ties to the Foreign Trade Bank of North Korea.

These insider threats are increasingly being linked to external hacks. The notorious Lazarus Group, responsible for the $1.4 billion Bybit theft in February, continues to evolve its methods.

In 2024 alone, North Korean-linked actors stole $1.3 billion across 47 incidents, per Chainalysis.

North Korean hackers deploy "PylangGhost" trojan posing as Coinbase recruiters to steal crypto credentials through fake job interviews, part of $1.3 billion cyber campaign targeting industry professionals.#NorthKorean #Coinbasehttps://t.co/CGeDVs7s3J

A newer front in this cyberwar is targeted malware attacks. On June 20, Cisco Talos researchers exposed PylangGhost, a Python-based malware deployed by the Lazarus-affiliated Famous Chollima group.

It disguises itself through fake job interviews and installs credential-stealing malware on victims’ systems, primarily targeting crypto professionals in India.

As North Korea shifts from brute-force hacking to social engineering and insider access, the risks for crypto startups, especially meme coin and NFT communities, continue to grow.