North Korean Hackers Used 31 Fake IDs to Steal $680K from Crypto Firms
A recent investigation has uncovered how a North Korean IT team targeted cryptocurrency companies and hacked...
Quick overview
- A North Korean IT team hacked the fan-token marketplace Favrr for $680,000 in June 2025, using a compromised device.
- The hackers employed over 31 fake identities and utilized tools like Google Drive and VPNs to plan and execute their attacks.
- They targeted cryptocurrency firms by securing remote jobs to gain access to backend systems and wallets.
- This incident highlights the increasing sophistication of North Korean cyber operations and the need for enhanced identity verification in the crypto industry.
A recent investigation has uncovered how a North Korean IT team targeted cryptocurrency companies and hacked fan-token marketplace Favrr for $680,000 in June 2025. The breach was traced back to a single compromised device and showed the inner workings of the group. Screenshots, Chrome profiles and Google Drive exports revealed how they infiltrated crypto firms.
Cybersecurity researcher ZachXBT verified wallet activity of the stolen funds, including one wallet address “0x78e1a” confirming the team’s involvement in the attack. These findings show the level of planning and coordination of the operatives.
Inside the Hackers’ Workflow
The 6 member team used at least 31 fake identities. They collected government issued IDs and phone numbers to get blockchain development jobs. Some even bought LinkedIn and Upwork accounts to strengthen their cover, claiming experience at major blockchain companies like Polygon Labs, OpenSea and Chainlink.
Key tools and techniques:
- Google Drive and Spreadsheets: For budgeting, task tracking and planning attacks.
- Google Translate: To overcome language barriers between Korean and English.
- VPNs and Remote Access Tools: AnyDesk and other software to mask their locations and remotely access client systems.
They even rented computers and used VPNs to create new accounts, so their activity remained anonymous.
Exploiting Remote Jobs to Target Crypto
Documents from the compromised device showed the hackers preparing scripts and interview notes to get remote jobs. Once employed they got access to backend systems, code repositories and wallets.
More evidence showed the group scouting European AI companies, mapping new blockchain targets and learning how to deploy tokens across multiple chains. This is in line with broader cybersecurity reports, North Korean IT workers often exploit remote positions to get into the crypto space.
Key Takeaways:
- Hackers used 31+ fake IDs to look legit.
- Google tools were central to coordination and planning.
- Remote work enabled access to crypto infrastructure.
These findings show the growing sophistication of North Korean cyber operations and the importance of identity verification in the crypto space.
- Check out our free forex signals
- Follow the top economic events on FX Leaders economic calendar
- Trade better, discover more Forex Trading Strategies
- Open a FREE Trading Account
Save