North Korean Developer Gains Control of Waves Protocol’s Keeper-Wallet

Coin WorldThursday, Jun 19, 2025 5:25 am ET
1min read

A North Korean developer, identified as "AhegaoXXX," gained elevated privileges within the Waves Protocol’s Keeper-Wallet codebase, according to a report published on June 18. The developer was found to have pushed updates to the Keeper-Wallet, which had shown no legitimate commits since August 2023. The repository analytics indicated that the user had the ability to open branches, create releases, and publish to the Node Package Manager (NPM) registry, effectively giving the operator complete control over the organization.

The report linked "AhegaoXXX" to contracting rings of DPRK IT workers, which had previously used freelance channels to infiltrate software projects. The account’s reach extended beyond simple maintenance, as redirect rules inside the main Waves Protocol namespace now point to identical packages inside the newly active Keeper-Wallet namespace. This suggests that an insider moved code from the core organization to the wallet project.

One of the suspicious code changes involved a commit inside “Keeper-Wallet/Keeper-Wallet-Extension” that adds a function exporting wallet logs and runtime errors to an external database. The modified routine captures mnemonic phrases and private keys before transmission, raising the likelihood of credential exfiltration. Although the branch remains unmerged, its presence indicates an intent to include the code in a production release.

The NPM registry records reflect related activity, with versions of “@waves/provider-keeper,” “@waves/waves-transactions,” and four other packages suddenly advancing after two years of dormancy. Each publication lists “msmolyakov-waves” as a maintainer. GitHub history shows that the account belonged to former Waves engineer Maxim Smolyakov and exhibited no activity since 2023 until it approved a pull request from “AhegaoXXX” and triggered a new NPM release in under four minutes. The report assessed that the engineer’s credentials now fall under DPRK control, providing the attacker with a second trusted path to distribute malicious builds.

The shift from isolated freelancing to direct repository control marks an unusual crossover between ordinary DPRK contract work and an overt hacking campaign. Download counts for affected packages remain low, but any Waves user who installs or updates Keeper-Wallet risks importing code that forwards secret phrases to a hostile server. The publication advised development teams to tighten supply-chain defenses, including auditing contributor privileges, removing inactive members from GitHub organizations, tracking who can trigger package releases, and monitoring repository redirects across ecosystems such as npm and Docker. Lastly, the firm encouraged regular reviews of publisher e-mail domains to detect dormant accounts that could approve rogue updates.