BREAKING: North Korean Hackers Target Waves Protocol—On-Chain Sleuths Sound Alarm
Blockchain investigators drop a bombshell: Waves Protocol may be the latest victim of North Korea's notorious hacking syndicates. The exploit—still unfolding—highlights the escalating crypto cold war between decentralized networks and state-sponsored attackers.
How they pulled it off
While details remain scarce, on-chain analysts spotted anomalous transaction patterns matching Pyongyang's playbook. The same digital fingerprints that drained $600M from Axie Infinity's Ronin Bridge now appear in Waves' transaction history.
DeFi's security paradox
Another day, another 'unhackable' protocol learning the hard way that code isn't law—money is. As Lazarus Group sophisticates its attacks, the industry's 'move fast and break things' ethos is breaking investors instead. Maybe save some of that VC money for auditors next time?
Waves repos linked to DPRK hacking activity
Researchers from Ketman threat intelligence were scanning GitHub repositories for signs of hacking and the involvement of DPRK contributors. The scans follow several cases where DPRK developers infiltrated some of the biggest crypto projects.
Suspicious activity was noticed in the Keeper wallet repo, which offered access to a browser extension wallet specifically created for the Waves ecosystem.
Keeper Project is a spinoff of Waves and does not share teams. The early Waves team was also involved in building the wallet. Then, in the last three weeks, the repository started to receive new code.
The suspicious account had full authority and was capable of controlling the repository and even making new wallet releases. The rights to the wallet release were linked to one GitHub account, which was suspected to belong to a DPRK hacker. The account included a potentially dangerous download LINK for the Keeper Wallet.
So far, there is no new release for Keeper, and the current wallet is considered relatively safe. However, a new release may be suspicious and cause harm, especially with the expected renewed marketing of Waves.
The GitHub contributor AhegaoXXX also pushed an update that targeted and extracted wallet logs and errors to an external database, compromising privacy and being potentially malicious. The code may have capabilities to log wallet keys or phrases, though for now, it has not been added to the latest wallet release.
Some of the code linked to Keeper Wallet has been published by the account of developer Maxim Smolyakov, leading the investigators to suspect some FORM of account takeover.
KEY Difference Wire: the secret tool crypto projects use to get guaranteed media coverage
