As a seasoned analyst with over two decades of experience in cybersecurity and blockchain technology, I find ZachXBT’s recent findings both alarming and intriguing. The scale and sophistication of this operation, involving North Korean IT workers masquerading as crypto developers, is a stark reminder of the evolving nature of cyber threats in our interconnected world.
According to the latest tweets by cybersecurity professional ZachXBT, it appears that a complex strategy might be unfolding where North Korean tech professionals are pretending to be cryptocurrency developers.
The operation led to the theft of $1.3 million from a project’s treasury and exposed a network of over 25 compromised crypto projects active since June 2024.
ZachXBT’s findings indicate a strong possibility that one unidentified group based in Asia, possibly operating from North Korea, is earning between $300,000 and $500,000 monthly by managing more than two dozen cryptocurrency projects under false identities.
6/ Many seasoned development teams have previously employed these developers, so it’s not entirely justifiable to solely point fingers at them.
In the future, teams should be vigilant about the following signs:
1) They frequently recommend each other for positions
2) Impressive resumes or GitHub activity, but keep in mind that such indicators may not always be truthful…— ZachXBT (@zachxbt) August 15, 2024
The theft and laundering scheme
The situation unfolded as an unidentified group publicly contacted ZachXBT, seeking assistance after a sum of about $1.3 million was pilfered from their treasury. It turned out that they had unwittingly employed several North Korean IT professionals who disguised themselves with false identities to penetrate the team.
1.3 million dollars, taken illegally, were swiftly cleaned by a series of transactions such as moving the funds to a thief’s account, swapping from Solana (SOL) to Ethereum (ETH) using deBridge, depositing 50.2 ETH into Tornado Cash, and finally transferring 16.5 ETH to two distinct cryptocurrency exchanges.
Mapping the network
Through more research, it was found that these harmful programmers were connected to a bigger group. By following various payment addresses, the investigator traced and identified a group of around 21 individuals, who had collectively received roughly $375,000 within the past month.
The investigation also connected these activities to previous transactions totaling $5.5 million, which flowed into an exchange deposit address from July 2023 to 2024.
The payments under scrutiny were associated with North Korean IT workers and Sim Hyon Sop, a person subjected to sanctions by the Office of Foreign Assets Control (OFAC). During the course of the investigation, various questionable actions emerged, such as instances where Russian Telecom IP addresses appeared to overlap among developers who were allegedly situated in the U.S. and Malaysia.
Furthermore, an unintended disclosure occurred when a developer was being filmed, revealing additional identities. Subsequent inquiries found that the corresponding payment details were significantly associated with those blacklisted by OFAC, specifically Sang Man Kim and Sim Hyon Sop.
1) Involving recruitment agencies in hiring certain developers made the scenario more intricate. Moreover, multiple projects utilized a minimum of three North Korean tech professionals, who often mutually recommended each other for employment.
Preventive measures
ZachXBT noted that some skilled teams have unwittingly brought on board dishonest programmers, which makes it somewhat unjust to solely hold the teams responsible for this. Nevertheless, there are various strategies that teams can implement to safeguard themselves moving forward.
Based on my extensive experience working in the digital industry, I believe it is crucial to take a proactive approach when hiring developers. Here are some measures that I find effective:
Read More
Sorry. No data so far.
2024-08-15 19:58