Counter-hacker operation reveals secrets of North Korean IT workers: false identities infiltrate encryption companies, involved in a 680,000 USD hacking case.

A crackdown on North Korean IT workers unexpectedly unveiled the details of their infiltration into global Crypto Assets companies. According to screenshots and documents released by cryptocurrency investigator ZachXBT, this small team was not only involved in the $680,000 crypto hacking incident that occurred in June, but also long utilized false identities, freelance platforms, and remote tools to successfully penetrate the internals of multiple Blockchain and Web3 projects.

Anti-hacking Attacks Unveil Internal Operations

(Source: ZachXBT)

ZachXBT stated that this batch of data came from a North Korean employee's device that was successfully hacked by an anonymous individual. Screenshots show that the team is composed of 6 North Korean IT workers, who hold at least 31 false identities, ranging from forged government documents and phone numbers to purchasing LinkedIn and UpWork accounts, specifically used to apply for positions such as "Blockchain Developer" and "Smart Contract Engineer."

Some members even pretended to be engineers who had worked at OpenSea and Chainlink, and participated in the full-stack engineer interview at Polygon Labs.

Infiltration Techniques: Freelance Platform + Remote Tools

(Source: ZachXBT)

Leaked documents show that these North Korean workers take orders through platforms like UpWork and use tools like AnyDesk and VPN to remotely log into employer systems, hiding their real location. They mainly collaborate using Google Drive, Google Calendar, and Korean-English translation tools. Operating expense records indicate that they spent $1,489.8 in May alone for related operations and equipment rentals.

Connection to the 680,000 USD hacking incident

The investigation found that one of the crypto wallet addresses 0x78e1a is directly related to the $680,000 vulnerability in the fan token market Favrr in June 2025.

ZachXBT pointed out that at that time, Favrr's Chief Technology Officer "Alex Hong" and several developers were actually North Korean IT workers disguised as foreign engineers. This funding was eventually converted into Crypto Assets through Payoneer to finance their operations.

Objectives and Risks: Not Just the Encryption Industry

From the search records, the team is not only focusing on the cross-chain deployment of ERC-20 and Solana but also investigating top AI development companies in Europe, indicating that its infiltration targets may expand into artificial intelligence and other high-tech fields.

ZachXBT calls on encryption and technology companies to strengthen recruitment reviews and increase cooperation between freelance platforms and enterprises to prevent similar infiltration activities.

Conclusion

This recent anti-hacker operation has revealed the high efficiency and concealment of North Korean IT workers infiltrating the Crypto Assets industry—from false identities, remote control, to direct participation in hacking attacks, the entire process has become highly mature. With the recent sanctions imposed by the U.S. Treasury on relevant individuals and entities, the industry must recognize that this "invisible war" against the Crypto Assets and technology sectors is still escalating. For more Blockchain security and investigative reports, please follow the official Gate platform.