Zachxbt Uncovered DPRK Infiltrations on Different Crypto Project Funds

Zachxbt, a Private investigator, recently uncovered a case involving the theft of $1.3 million from a cryptocurrency project’s treasury. The investigation uncovered a sophisticated network of North Korean (DPRK) IT workers operating under assumed identities.

According to the source, the initial report of the theft brought to light the alarming fact that the project had unknowingly employed multiple DPRK nationals disguised as legitimate developers. Furthermore, the meticulously planned laundering scheme pointed towards a coordinated and well-resourced operation.

DPRK Infiltrated Numerous Projects

According to Zachxbt, the DPRK was behind a host of vast conspiracies. The group uses popular NFT profile pictures, attractive resumes, and active GitHub accounts and sometimes falsifies its work history to infiltrate business and crypto projects.

Furthermore, they are usually willing to undergo Know Your Customer (KYC) procedures but may submit fake identification in the hope that teams do not conduct thorough investigations.

The group first sent it to a specific theft address (6USfQ9BX33LNvuR44TXr8XKzyEgervPcF4QtZZfWMnet). The funds were moved from the Solana network to Ethereum using deBridge, allowing for increased anonymity and control.

Moreover, the subsequent deposit of 50.2 ETH into the infamous Tornado Cash mixer further obfuscated the trail of the stolen funds.

“While Tornado Cash serves as a legitimate privacy-enhancing tool, it has unfortunately also become a hub for illegal activities, allowing criminals to hide the source of their assets. Additionally, 16.5 ETH was transferred to two exchanges.

Moreover, after carefully examining multiple payment addresses associated with 21 developers, we discovered a series of recent payments totaling around $375,000 over the last month. These payments lead us to a specific address (0xb721adfc3d9fe01e9b3332183665a503447b1d35), providing further proof of the coordinated nature of the operation.”

Zachxbt Investigations Discoveries

This investigation delved even deeper, uncovering a larger web of suspicious activities. Before the $1.3 million theft, a significant sum of $5.5 million flowed into an exchange deposit address (0x8f0212b1a77af1573c6ccdd8775ac3fd09acf014).

This address received payments from DPRK IT workers between July 2023 and 2024, connecting the network to individuals sanctioned by the Office of Foreign Assets Control (OFAC), including Sim Hyon Sop.

Further analysis revealed a disconcerting overlap between the IP addresses of developers allegedly located in the United States and Malaysia, with IP ranges commonly associated with Russian telecommunication providers. This unexpected connection raises serious questions about the true locations and identities of these individuals.