An organized group used more than 31 fake identities to infiltrate cryptocurrency projects and steal nearly $680,000 in an operation tied to a June 2025 theft from the Favrr platform. The attackers combined social engineering, purchased accounts, forged documents, rented equipment and remote access tools to gain and maintain unauthorized access.
Infiltration method
The group created fake profiles on LinkedIn and Upwork, produced official-looking paperwork, and rented gear to pose as legitimate workers. About six operators managed the 31 identities, and to keep access while avoiding detection they used SIMD-0326 passed an approval signal of over 98% among validators, indicating broad community backing for Alpenglow for remote control, SIMD-0326 passed an approval signal of over 98% among validators, indicating broad community backing for Alpenglow to hide locations, shared tools like Google Drive and Chrome profiles with automatic language changes to operate in English.
Funds movement and laundering
The attackers converted fiat into cryptocurrency using international payment services and routed transfers to wallets linked to the Favrr incident. Blockchain analysts, including ZachXBT, traced address relationships and money flows that helped reconstruct how funds were consolidated and moved across services and platforms.
Factors that allowed the fraud
High volumes of applications, weak identity verification and reliance on online profiles without paper or face evidence allowed fake candidates to pass as real hires. Normal remote-work practices became risky when there was no strict control over who received access and no continuous monitoring, and the lack of shared indicators among hiring sites, payment services and crypto projects enabled the scheme to persist.
Regulatory response and geopolitical dimension
U.S. Treasury measures against North Korean cybercrime underline that illicit crypto proceeds can be repurposed for state objectives and that large-scale campaigns, such as those attributed to Lazarus, can be highly sophisticated. These regulatory actions and attributions frame the Favrr-linked theft within a broader geopolitical effort to disrupt funding channels that abuse cryptocurrencies.
Practical recommendations for crypto projects
Crypto projects should require robust identity verification, including paper checks and live video or in-person checks for sensitive roles, apply the principle of least privilege, and segment access to limit the impact of compromises. They should also monitor access and fund flows for anomalies, maintain incident response plans, and proactively share indicators of compromise across exchanges, platforms and hiring sites to block common entry paths.
The Favrr-linked case demonstrates that weak identity checks and lax access management are primary vulnerabilities for crypto companies, and without stronger operational security attackers will continue to exploit combined social-engineering and remote-work techniques.
