North Korean Hackers Target Crypto Projects Using Fake Profiles

North Korean Hackers Infiltrate Crypto Projects via Fake Identities

A team of North Korean IT operatives has been exposed for infiltrating cryptocurrency projects using sophisticated deception tactics. Blockchain investigator ZachXBT revealed the group used fake profiles, Google tools, and rented computers to steal $680,000 in June 2025.

Elaborate Identity Fraud

The six-member hacking team maintained 31 false identities using stolen government IDs, phone numbers, and purchased LinkedIn/Upwork accounts. One member even applied to Polygon Labs posing as a former Chainlink and OpenSea employee, with scripted interview responses.

Freelance Platforms as Attack Vectors

Posing as blockchain developers, the hackers secured positions through Upwork using remote access tools like AnyDesk and VPNs to conceal their location. Google Drive and Chrome were utilized for task management, scheduling, and communication via translation tools.

Connections to Major Heists

Evidence links their cryptocurrency wallet to the $680,000 Favrr marketplace hack. Their search history revealed technical interests including ERC-20 token functionality on Solana and European AI companies.

Security Warnings and Sanctions

ZachXBT warns inadequate vetting enables such breaches. The U.S. Treasury recently sanctioned two individuals and four companies tied to North Korean IT infiltration networks targeting crypto businesses.