North Korean IT workers used 30+ fake IDs to target crypto companies: report
A compromised device from a North Korean IT worker has exposed the inner workings of the team behind the $680,000 Favrr hack and their use of Google tools to target crypto projects.
- A compromised device belonging to a North Korean IT worker exposed the inner workings of threat actors.
- Evidence shows operatives used Google powered tools, AnyDesk, and VPNs to infiltrate crypto firms.
According to on-chain sleuth ZachXBT, the trail began with an unnamed source who gained access to one of the workers’ computers, uncovering screenshots, Google Drive exports, and Chrome profiles that pulled back the curtain on how the operatives planned and carried out their schemes.
Drawing on wallet activity and matching digital fingerprints, ZachXBT verified the source material and tied the group’s cryptocurrency dealings to the June 2025 exploit of the fan-token marketplace Favrr. One wallet address, “0x78e1a,” showed direct links to stolen funds from the incident.
Inside the operation
The compromised device showed that the small team — six members in total — shared at least 31 fake identities. To land blockchain development jobs, they amassed government-issued IDs and phone numbers, even buying LinkedIn and Upwork accounts to complete their cover.
An interview script found on the device showed them boasting of experience at well-known blockchain firms, including Polygon Labs, OpenSea, and Chainlink.
Google tools were central to their organized workflow. The threat actors were found to be using drive spreadsheets to track budgets and schedules, while Google Translate bridged the language gap between Korean and English.
Among the information pulled from the device was a spreadsheet that showed IT workers were renting computers and paying for VPN access to buy fresh accounts for their operations.
The team also relied on remote access tools such as AnyDesk, allowing them to control client systems without revealing their true locations. VPN logs tied their activity to multiple regions, masking North Korean IP addresses.
Additional findings revealed the group looking up ways to deploy tokens across different blockchains, scouting AI firms in Europe, and mapping out fresh targets in the crypto space.
North Korean threat actors use remote jobs
ZachXBT found the same pattern flagged in multiple cybersecurity reports — North Korean IT workers landing legitimate remote jobs to slip into the crypto sector. By posing as freelance developers, they gain access to code repositories, backend systems, and wallet infrastructure.
One document uncovered on the device was interview notes and preparation materials likely meant to be kept on-screen or nearby during calls with potential employers.
You May Also Like
OurCryptoMiner Introduces USDC Dual Mining Model
Wormhole token soars following tokenomics overhaul, W reserve launch
Wormhole’s native token has had a tough time since launch, debuting at $1.66 before dropping significantly despite the general crypto market’s bull cycle. Wormhole, an interoperability protocol facilitating asset transfers between blockchains, announced updated tokenomics to its native Wormhole (W) token, including a token reserve and more yield for stakers. The changes could affect the protocol’s governance, as staked Wormhole tokens allocate voting power to delegates.According to a Wednesday announcement, three main changes are coming to the Wormhole token: a W reserve funded with protocol fees and revenue, a 4% base yield for staking with higher rewards for active ecosystem participants, and a change from bulk unlocks to biweekly unlocks.“The goal of Wormhole Contributors is to significantly expand the asset transfer and messaging volume that Wormhole facilitates over the next 1-2 years,” the protocol said. According to Wormhole, more tokens will be locked as adoption takes place and revenue filters back to the company.Read more
