Image default
CryptoNewsFeaturedOpinionUncategorized

How 31 “developers” from North Korea deceived crypto companies and stole $680,000

An organized group used more than 31 fake identities to infiltrate cryptocurrency projects and steal nearly $680,000 in an operation tied to a June 2025 theft from the Favrr platform. The attackers combined social engineering, purchased accounts, forged documents, rented equipment and remote access tools to gain and maintain unauthorized access.

Infiltration method

The group created fake profiles on LinkedIn and Upwork, produced official-looking paperwork, and rented gear to pose as legitimate workers. About six operators managed the 31 identities, and to keep access while avoiding detection they used SIMD-0326 passed an approval signal of over 98% among validators, indicating broad community backing for Alpenglow for remote control, SIMD-0326 passed an approval signal of over 98% among validators, indicating broad community backing for Alpenglow to hide locations, shared tools like Google Drive and Chrome profiles with automatic language changes to operate in English.

Funds movement and laundering

The attackers converted fiat into cryptocurrency using international payment services and routed transfers to wallets linked to the Favrr incident. Blockchain analysts, including ZachXBT, traced address relationships and money flows that helped reconstruct how funds were consolidated and moved across services and platforms.

Factors that allowed the fraud

High volumes of applications, weak identity verification and reliance on online profiles without paper or face evidence allowed fake candidates to pass as real hires. Normal remote-work practices became risky when there was no strict control over who received access and no continuous monitoring, and the lack of shared indicators among hiring sites, payment services and crypto projects enabled the scheme to persist.

Regulatory response and geopolitical dimension

U.S. Treasury measures against North Korean cybercrime underline that illicit crypto proceeds can be repurposed for state objectives and that large-scale campaigns, such as those attributed to Lazarus, can be highly sophisticated. These regulatory actions and attributions frame the Favrr-linked theft within a broader geopolitical effort to disrupt funding channels that abuse cryptocurrencies.

Practical recommendations for crypto projects

Crypto projects should require robust identity verification, including paper checks and live video or in-person checks for sensitive roles, apply the principle of least privilege, and segment access to limit the impact of compromises. They should also monitor access and fund flows for anomalies, maintain incident response plans, and proactively share indicators of compromise across exchanges, platforms and hiring sites to block common entry paths.

The Favrr-linked case demonstrates that weak identity checks and lax access management are primary vulnerabilities for crypto companies, and without stronger operational security attackers will continue to exploit combined social-engineering and remote-work techniques.

Related posts

Near Foundation Announces 40% Workforce Reduction Despite Ecosystem Growth

Guido Battigelli

BMW Partners Coinweb and BNB Chain for Loyalty Program

Godfrey Benjamin

Bitcoin Could Surpass Gold to Become a Key Global Asset, Says Cathie Wood

Guido Battigelli

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Please enter CoinGecko Free Api Key to get this plugin works.