How ZachXBT Exposed North Korea’s $680K Crypto Heist – A Blockchain Sleuth’s Triumph
When $680K vanishes in crypto-land, nobody bats an eye—until a lone wolf investigator cracks the case. Here's how blockchain's Sherlock Holmes pulled it off.
The Smoking Gun Chain
ZachXBT didn't need a badge to trace the dirty money. Just a blockchain explorer, caffeine, and that sweet, sweet schadenfreude when scammers slip up. Every transaction leaves fingerprints—even for nation-state hackers.
Pyongyang's Perfect (Until It Wasn't) Crime
The Lazarus Group thought they'd covered their tracks. Mixers, fake KYC, the works. But one overlooked detail—call it 'opsec arrogance'—left a breadcrumb trail even Kim Jong-un's hackers couldn't scrub.
Why This Should Scare Every CEX
If a pseudonymous Twitter sleuth outsmarts nuclear-funded hackers, what does that say about your 'top-tier' security team? (Looking at you, compliance officers collecting six figures to rubber-stamp withdrawals.)
The takeaway? In crypto, the house doesn't always win—sometimes the nerds with nothing better to do rewrite the rules.
TLDR
- Five North Korean IT workers created 30+ fake identities using government IDs, LinkedIn, and Upwork accounts to infiltrate crypto projects as developers
- An anonymous source hacked one worker’s device, revealing expense spreadsheets, fake identity documentation, and operational details
- The team spent $1,489.8 in May on fake IDs, phone numbers, VPNs, and AI subscriptions to maintain their cover
- One frequently used wallet address was linked to the $680,000 Favrr marketplace hack in June 2025
- The workers used Google Translate, AnyDesk remote access, and VPNs to hide their true locations and communicate with employers
A team of five North Korean IT workers created more than 30 fake identities to infiltrate cryptocurrency projects as developers. The scheme was exposed after an anonymous source successfully hacked one of the worker’s devices on August 13.
The compromised data included Google Drive exports, Chrome browser profiles, and device screenshots. All communications were conducted in English to avoid suspicion from potential employers.
8/ The 0x78e1 address is closely tied onchain to the recent $680K Favrr exploit from June 2025 where their CTO and other devs turned out to be DPRK ITWs with fraudulent documents.
Additional DPRK ITWs were identified at projects from the 0x78e1 address. https://t.co/BPZmFo8n5d pic.twitter.com/DcQnvNetxY
— ZachXBT (@zachxbt) August 13, 2025
Financial records obtained from the breach show the workers’ systematic approach to employment fraud. Their expense spreadsheet details purchases of Social Security numbers, LinkedIn and Upwork accounts, phone numbers, and AI subscriptions.
The team also rented computer services and VPN networks to meet blockchain industry employment requirements. These tools helped them access internal systems and obtain sensitive code from unsuspecting companies.
The leaked materials included documentation outlining meeting schedules for targeted crypto projects. They also contained detailed scripts for maintaining fake identities, including one called “Henry Zhang.”
1/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects. pic.twitter.com/DEMv0GNM79
— ZachXBT (@zachxbt) August 13, 2025
Remote Access Technology Used to Maintain Cover
The operatives used AnyDesk software to access VPN services remotely. This allowed them to appear as if they were located in regions they falsely claimed as their residence.
Browser history data showed extensive Google Translate usage with Korean language translations. All activity originated from Russian IP addresses, confirming their true location.
The investigation revealed Telegram conversations where team members discussed successful job placements. In these exchanges, they shared ERC-20 wallet addresses for salary deposits.
One frequently used ERC-20 wallet address was traced back to a major security incident. The address connected to the recent $680,000 Favrr exploit that occurred in June 2025.
This incident involved the project’s chief technology officer and other developers. These individuals were later identified as North Korean IT workers operating with fraudulent credentials.
Discovery Prompts Internal Investigations
The revelation prompted several cryptocurrency projects to conduct internal investigations. Some discovered that their development teams and decision-makers were North Korean operatives using false identities.
Evidence showed one worker interviewed for a full-stack engineer position at Polygon Labs. Other documents contained scripted interview responses claiming experience at OpenSea and Chainlink.
The workers secured roles as blockchain developers and smart contract engineers on freelance platforms. They used remote access software to carry out work for employers who remained unaware of their true identities.
The cryptocurrency community’s reaction has been mixed regarding hiring practices. Many pointed to negligence among teams that become defensive when alerted to potential security threats.
The scheme involved requesting job-seekers to deposit Tether and USD Coin stablecoins into designated accounts. In January, these operatives allegedly stole $2.2 million from New York residents through fake job assistance campaigns.
In June, U.S. authorities seized more than $7.7 million in cryptocurrency earned through a covert network of North Korean IT workers posing as foreign freelancers.
