Zachxbt Exposes DPRK Hackers Targeting Meme Tokens: Over $1M Stolen in Recent Exploits
- How Are DPRK Hackers Infiltrating Meme Token Projects?
- Which Projects Were Hit by the DPRK-Linked Attacks?
- What Tactics Do the Hackers Use?
- How Is the Crypto Community Responding?
- FAQ: DPRK Meme Token Hacks Explained
Investigative reports by Zachxbt reveal a surge in North Korean (DPRK) hacker activity targeting meme tokens on ethereum and Solana, with losses exceeding $1 million. The attacks, linked to state-sponsored IT operatives, exploit vulnerabilities in new projects, including those tied to Pepe creator Matt Furie. Hackers are posing as blockchain developers to infiltrate teams, while fake freelancer profiles and GitHub repositories spread malicious code. This deep dive uncovers their tactics, impacted projects like Chainsaw and Favrr, and how the crypto community is responding.
How Are DPRK Hackers Infiltrating Meme Token Projects?
Recent investigations by blockchain sleuth Zachxbt expose a coordinated campaign by North Korean hackers to compromise meme token projects. The attackers exploit weak security in newly launched tokens, mint fraudulent NFTs to crash floor prices, and siphon funds through smart contract vulnerabilities. At least $1 million has been stolen in June 2025 alone, with targets including projects linked to Pepe cartoonist Matt Furie. The BTCC analytics team notes that hackers are increasingly impersonating solana developers, offering "automated token tools" on GitHub to gain trust before deploying exploits.
Which Projects Were Hit by the DPRK-Linked Attacks?
Three major victims have been identified:
- Chainsaw NFT Collection: Lost 320 ETH ($680,000) after a developer with DPRK ties was hired.
- Favrr Protocol: CTO Alex Hong vanished post-attack, deleting LinkedIn amid suspicions of insider involvement.
- Pump.fun Tokens: Fake Solana teams created tokens to launder funds from prior Web3 heists.
Zachxbt's on-chain analysis traces wallets to GitHub profiles offering "Ethereum/Solana dev services" – some active since 2023 under Polish/US aliases.
What Tactics Do the Hackers Use?
The DPRK operatives employ a multi-phase approach:
| Phase | Tactic | Example |
|---|---|---|
| Infiltration | Posing as freelancers on Upwork/Fiverr | Fake "Digital Living" agency profiles |
| Exploitation | Injecting malicious code into repositories | BNB Chain token minting "helpers" |
| Exfiltration | Draining liquidity via fake NFT drops | Chainsaw's zero-value NFTs |
Notably, one hacker (@BlackBigswan on Twitter) bragged about recruiting a Canadian moderator before the account was suspended.
How Is the Crypto Community Responding?
Vigilance is increasing:
- BTCC and other exchanges now flag tokens linked to suspicious GitHub activity.
- Developers are auditing hires' social histories for signs of fake identities.
- Zachxbt's public wallet blacklists help projects screen transactions.
"These aren't script kiddies – it's a resourced nation-state actor," warns a BTCC security lead. "Assume any 'too-good-to-be-true' dev applicant is compromised."
FAQ: DPRK Meme Token Hacks Explained
What makes meme tokens vulnerable?
Their rapid launch cycles often skip security audits, and cultural HYPE overrides caution. Hackers exploit FOMO to spread tainted code.
Are Ethereum tokens safer than Solana's?
Not necessarily. Both chains were targeted equally. The exploit vector depends on project infrastructure, not the blockchain itself.
How can I check if a dev is DPRK-linked?
Cross-reference GitHub/Wallet addresses with Zachxbt's published lists. Look for mismatched timezones in commit histories or cookie-cutter freelance profiles.
