North Korean Workers Tied to $1.3M Crypto Theft: A Sophisticated Cyber Heist Unveiled

Changelly
Illustration of a hacker behind a computer screen with cryptocurrency symbols, representing North Korean involvement in crypto theft.
Coinbase

The recent investigation conducted by cybersecurity expert ZachXBT has discovered an extremely well-managed operation done by North Korean IT workers disguising themselves as cryptocurrency developers. The theft of $1.3 million from the project’s treasury and unveiling of a broader network of compromised crypto projects that have been active since June 2024 are some of the operations attributed to this.

The Theft and Laundering Scheme

The matter came to the limelight when a team whose name was kept anonymous sought ZachXBT’s advice as they realized that their treasury would be lighter by $1.3 million. They had engaged numerous North Korean IT workers through the use of fraudulent identities to infiltrate their team unknowingly.

The torn money was quickly laundered through a multi-step money route. Cash which was stolen was taken to a different location, and then it was sent from Solana to Ethereum by deBridge. Over 50.2 ETH was then deposited to Tornado Cash, and 16.5 ETH was eventually divided into two other exchanges.

Mapping the Network

On further investigation, ZachXBT discovered that most of these ill-minded developers were a part of a larger network. The money transfer from a cluster of 21 developers who received around $375,000 in the last month was confirmed through numerous payment addresses that were tracked.

According to the study, these transactions were also associated with earlier transactions amounting to $5.5 million that were funneled into an exchange deposit address between July 2023 and 2024. The payments were related to North Korean IT workers and a person by the name Sim Hyon Sop, who was listed under the sanctions of the Office of Foreign Assets Control (OFAC).

bybit

Unraveling the Complex Web

The uncovering process was tainted by the emergence of some more worrying details. Very importantly, it turned out that several US and Malaysian software developers who were supposed to be on the project had the same IP address of a Russian Telecom. In the case of one developer, the exposure of other identities during a recording was an inadvertent action which, nonetheless facilitated the tracing of payment addresses that were linked to the OFAC-sanctioned individuals such as Sang Man Kim and Sim Hyon Sop.

The recruitment agencies through which some of these developers were recruited also had a part in further complicating the situation. In a majority of instances, at least three North Korean IT hackers referred to each other, and thus it became impossible for project teams to identify the breaches.

Preventive Measures for Crypto Teams

ZachXBT in particular stressed the importance of the preventive measures they should implement to reduce the risk of even the most experienced crypto teams being victims of such deceitful tactics as seen with these cases. Among the restrictions are:

  • Being cautious about referring developers for each other’s roles.
  • Thorough inquiry of resumes and KYC details through background checks of the developers
  • Interrogating the developers about claiming locations in the sense that they can explain to you the root of the power outages.
  • Regular check for those developers who are canceled and come out the next time with new accounts.
  • Observing the one who is constantly becoming worse at his job compared to others.
  • Weekly checking of logs for abnormal actions.
  • A comprehensive approach to NFT fraud elimination, especially prohibited NFT profile pictures.
  • Noting possible accent speech in case that it has a sense of Asia.

Through these pointers, crypto projects can further safeguard themselves against such formidable cyber threats in the years to come.

NiceHash