🚨 ZachXBT Exposes: North Korea’s Cyber Army Targets Meme Tokens in Brazen Crypto Heist
Meme coins face an unlikely adversary—state-sponsored hackers. The Lazarus Group, linked to North Korea’s regime, has shifted its crosshairs from DeFi protocols to the wild west of meme tokens. Here’s how crypto’s joke assets became a geopolitical payday.
The Playbook: Phishing, Exploits, and Vanishing Acts
Fake airdrops, compromised dev wallets, and liquidity pool drains—DPRK’s hackers are weaponizing crypto’s hype cycle. Their MO? Target low-hanging fruit with high volatility, then vanish into Tornado Cash. Even Dogecoin knockoffs aren’t safe.
Why Meme Tokens? Low Security, High ROI
Unlike audited DeFi projects, meme coins often skip KYC and smart contract reviews. For hackers, it’s a goldmine: $200M+ stolen in 2024 alone from projects where 'wen moon' counts as a roadmap.
Crypto’s Irony: Decentralization Meets Dictator Money
While VCs pour billions into 'web3 infrastructure,' Pyongyang’s cyber-brigades are cashing out—funding missiles with degenerate gambles on Shiba Inu clones. The lesson? In crypto, even memes can become weapons… and Wall Street still won’t take it seriously.
DPRK hackers present as Solana teams
Token creation on Pump.fun is generally democratic. However, DPRK hackers are also offering code to automate token creation or trading.
Recent investigators discovered a series of social media accounts and GitHub profiles, claiming to be linked to North Korean hackers. Some of the profiles already offer code for multiple chains, including Ethereum, BNB Smart Chain, Base, Arbitrum, and others. One of the identified hacker accounts also shared a solana copy-trading tool. The accounts were also busy touting their services, advertising direct hiring from their profiles while disparaging other software developer agencies.
Some of the hackers have formed teams with old social media accounts. The end goal is to be hired as blockchain developers, potentially compromising meme tokens and other projects.
Can't let @browsercookies have all the fun.
Gang, meet the DPRK-made dev shop team that loves Solana, uses aged accounts, is active on Twitter and managed to get at least one facilitator in Canada. We'll go one by one. 0xTan1319 got only recently kicked out (not enough gigs?… https://t.co/9udGpP3tkx pic.twitter.com/TTF6YnEUU0
— bbsz (@blackbigswan) June 26, 2025
The hacker cluster is also connected to previously discovered accounts, posing as Polish or US nationals. Again, the main goal was to obtain remote software engineering jobs, including full-stack blockchain roles. Some of the attempts to get hired moved through the freelance hub Inspiration with Digital Living (IWDL), trying to trick legitimate projects into hiring possibly DPRK-affiliated IT workers. Part of the attempts also involve the creation of fake freelancer sites, which present the connected profiles.
The Pump.fun token cycle reportedly involved multiple meme projects linked to DPRK hackers. Previously, threat actors have also deliberately launched a meme token to launder funds from a previous Web3 heist. The list of hacker handles and profiles is constantly growing, and not all are active. The potential heist is the reverse of the fake job offers, which attempt to install malware on user computers.
Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now
