A small group of North Korean IT workers has been linked to a $680,000 crypto theft in June — and leaked screenshots reveal how they’ve been blending in with legitimate developers to infiltrate projects, according to Cointelegraph.
The images, shared on X by blockchain investigator ZachXBT, came from an unnamed source who managed to access one of the workers’ devices. They offer a rare look into the methods used by hackers tied to North Korea’s state-backed operations.
Fake identities and hidden work
The group appears to be made up of just six people, but they control at least 31 false identities. These include forged government IDs, phone numbers, and purchased LinkedIn and Upwork accounts. Using these identities, they have applied for developer roles in crypto and blockchain projects.
Evidence suggests one of the workers interviewed for a full-stack engineer position at Polygon Labs. In other cases, they prepared scripted interview answers, claiming past work for companies like OpenSea and Chainlink to gain credibility.
Once hired, they often worked remotely through platforms like Upwork, using AnyDesk for access to company systems and VPNs to hide their locations. Screenshots also showed they used Google Drive, Chrome profiles, and the company’s Korean-to-English translation tool to manage schedules and communicate in English.
A spreadsheet found on one device listed $1,489.80 in expenses for May, detailing the costs of their ongoing operations.
Connection to the Favrr hack
One Payoneer account linked to the group converted fiat into crypto, with activity traced to a wallet address — “0x78e1a” — that investigators say was tied to the June 2025 hack of fan-token marketplace Favrr. That attack drained about $680,000.
ZachXBT previously alleged that Favrr’s chief technology officer, known as “Alex Hong,” and some other developers were in fact North Korean workers using false identities.
The group’s online activity also revealed their research interests, from asking if ERC-20 tokens could run on Solana to searching for AI development companies in Europe.
Past and ongoing operations
North Korean-linked teams have been behind some of the largest crypto thefts on record, including a $1.4 billion exploit of the exchange Bitbit earlier this year. Over time, they’ve taken millions from protocols by posing as contractors and remote workers.
Their tactics aren’t always complex, but they work in volume — sending out enough applications that some inevitably slip through. Once inside, they can quietly gather data, siphon funds, or lay the groundwork for future attacks.
Call for tighter checks
ZachXBT says crypto and tech firms need to be more thorough in screening hires. “Many of these operations aren’t highly sophisticated,” he said, “but the sheer number of applications means hiring teams sometimes overlook red flags.”
He added that a lack of cooperation between tech companies and freelance platforms makes it easier for such groups to stay active.
The US Treasury has already taken action, sanctioning two people and four companies linked to a similar North Korean IT worker network in July. The move reflects growing concern over how state-backed cyber teams are targeting private companies — often hiding in plain sight.
(Photo by Mika Baumeister)
See also: Cryptocurrency adoption patterns revealed in two studies
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
