North Korean Hackers Target Meme Tokens Causing $1 Million Loss

Recent investigations have revealed that multiple meme token projects have been compromised by connections to North Korean hackers. These hackers have been linked to known exploits, with multiple profiles intercepted by ZachXBT and other investigators. The attacks have resulted in losses of up to $1 million, primarily affecting relatively new tokens. However, the evidence suggests that these hackers are actively targeting the meme token space, potentially infiltrating projects on Ethereum and Solana.

Some of the compromised projects are linked to the cartoonist Matt Furie, the creator of the iconic Pepe image. ZachXBT traced a set of attacks that affected NFT collections, including Chain/saw and Favvr. These attacks involved the minting of new NFTs, causing the floor price to drop to zero. The wallets used in these attacks were traced back to the profiles and repositories of blockchain developers with suspected connections to the North Korean regime.

One of the identified hackers was hired by the Favvr project, which resulted in a loss of over $680,000. Alex Hong, the Favvr project CTO, was also suspected of involvement. He left social media in May and deleted his affiliated LinkedIn account. Previously, DPRK hackers have been involved in Web 3.0 projects, primarily leading to compromised smart contracts.

Token creation on Pump.fun is generally democratic, but DPRK hackers are also offering code to automate token creation or trading. Investigators have discovered a series of social media accounts and GitHub profiles linked to North Korean hackers. These profiles offer code for multiple chains, including Ethereum, BNB Smart Chain, Base, Arbitrum, and others. One of the identified hacker accounts also shared a Solana copy-trading tool. These accounts are actively touting their services, advertising direct hiring from their profiles while disparaging other software developer agencies.

Some of the hackers have formed teams with old social media accounts, aiming to be hired as blockchain developers and potentially compromising meme tokens and other projects. The hacker cluster is also connected to previously discovered accounts, posing as Polish or US nationals. Their main goal is to obtain remote software engineering jobs, including full-stack blockchain roles. Some of these attempts to get hired moved through the freelance hub Inspiration with Digital Living (IWDL), trying to trick legitimate projects into hiring possibly DPRK-affiliated IT workers. Part of the attempts also involve the creation of fake freelancer sites, which present the connected profiles.

The Pump.fun token cycle reportedly involved multiple meme projects linked to DPRK hackers. Previously, threat actors have also deliberately launched a meme token to launder funds from a previous Web3 heist. The list of hacker handles and profiles is constantly growing, and not all are active. The potential heist is the reverse of the fake job offers, which attempt to install malware on user computers.