North Korean Hackers Infiltrate Crypto Firms with Fake Jobs

Inside DPRK’s $680K Crypto Infiltration

An unnamed source gained access to a North Korean IT worker’s device and pulled screenshots, browser profiles, and Google Drive exports. The leak shows a small team of about six workers coordinating at least 31 fake identities to win blockchain development gigs. They bought government IDs, phone numbers, and pre-made LinkedIn and Upwork accounts to pass screening, then pitched themselves as “blockchain developer” or “smart contract engineer” candidates to crypto projects. One member interviewed for a role at Polygon Labs. Several resumes claimed experience with OpenSea and Chainlink.

How the operation ran day to day

The materials detail a simple but disciplined playbook. Workers used VPNs to hide location, AnyDesk for remote access, and Google tools for schedules, budgets, and interview scripts written in English with help from Google Translate. Chrome profiles separated each persona. An expense sheet for May listed 1,489.8 dollars for identity documents, accounts, proxies, and AI subscriptions. The internal notes were not sophisticated. They were persistent and process driven, which helped them slip through busy hiring funnels.

Money trail to the Favrr exploit

Investigators linked the team to a June 2025 theft of about 680,000 dollars from the fan-token marketplace Favrr. The group often used Payoneer to move earnings into crypto. One Ethereum wallet that begins 0x78e1a was described as closely tied to the Favrr drain. At the time of the attack, the project’s CTO, known as Alex Hong, and some developers were alleged to be DPRK workers using false documents. These links connect the hiring fraud to a specific on-chain loss.

The wider pattern US authorities are chasing

The case fits a broader enforcement picture. In late June and early July 2025, the Department of Justice and FBI announced raids on 29 “laptop farms” across 16 states, seizures of domains and bank accounts, and indictments tied to schemes that placed North Korean operatives inside more than 100 US companies. Court filings describe stolen or fabricated identities, front companies, and crypto thefts at tech and blockchain firms. Authorities say these salaries and thefts help fund the regime’s weapons programs.

Why crypto teams are exposed

Crypto hiring is fast, remote, and global. Screening is uneven across freelance platforms and small teams. That creates space for coordinated identity fraud, rented hardware, and off-policy remote access tools to become real production access. The leaked files show how a low-tech process can work at scale if interviewers do not verify identities, test skills live, and fingerprint devices. The lesson is clear. Assume insider risk from day one, even for contractors who arrive through reputable platforms.

Practical defenses you can deploy now

Verify identity across multiple sources and require live coding with video. Check device fingerprints and geolocation consistency. Block unsanctioned remote access tools and log session recordings. Segment privileges, rotate secrets on role change, and force code reviews for sensitive repos. Watch for payments routed through intermediaries that match known DPRK tradecraft. Share indicators with platforms and peers so repeat applicants are easier to spot.

Sources

• Cointelegraph. Someone counter-hacked a North Korean IT worker. Aug 14, 2025. https://cointelegraph.com/news/someone-counter-hacked-a-north-korean-it-worker-here-s-what-they-found
• CryptoSlate. ZachXBT exposes North Korean IT workers operating 30 fake identities across development platforms. Aug 13, 2025. https://cryptoslate.com/zachxbt-exposes-north-korean-it-workers-operating-30-fake-identities-across-development-platforms/
• The Record by Recorded Future News. DOJ raids 29 laptop farms in operation against North Korean IT worker scheme. Jun 30, 2025. https://therecord.media/doj-raids-laptop-farms-crackdown
• POLITICO. Hundreds of laptops, bank accounts linked to North Korean fake IT workers scheme seized in major crackdown. Jun 30, 2025. https://www.politico.com/news/2025/06/30/justice-department-north-korea-it-workers-00433744
• BlockchainTechnology-News. Inside the North Korean crypto worker network linked to 680k hack. Aug 2025. https://blockchaintechnology-news.com/news/inside-the-north-korean-crypto-worker-network-linked-to-680k-hack/

Market Munchies and Mode Mobile communications are for informational purposes only, and are not a recommendation, solicitation, or research report relating to any investment strategy, security, or digital asset. All investments involve risk including the loss of principal and past performance does not guarantee future results.

Any information contained in this commentary does not purport to be a complete description of the securities, markets, or developments referred to in this material. The information has been obtained from sources considered to be reliable, but we do not guarantee that the foregoing material is accurate or complete. There is no guarantee that any statements or opinions provided herein will prove to be correct.

Hungry for the latest in crypto? 🍪

Get fresh insights, breaking news, and hidden gems in the world of crypto—delivered straight to your inbox with our Crypto Cookies newsletter. Don’t miss out—sign up now and get your first bite of insider knowledge!