Blockchain investigator ZachXBT has linked a major exploit affecting several NFT projects connected to Pepe creator Matt Furie to a group of suspected North Korean IT workers.
According to his analysis, the attacks led to the loss of over $1 million across multiple platforms, including ChainSaw-related projects Replicandy and Peplicator, with around $310,000 stolen from those alone.
North Korean Network Suspected in $680K Crypto Heist, NFT Exploit, and Developer Infiltration
In a post shared on X, ZachXBT explained that the attackers gained control of smart contract ownership, used the minting function to generate new NFTs, and sold them into bids. This action caused the floor prices of the affected collections to crash to zero.
The exploit began on June 18, 2025, when ownership of Replicandy was transferred to an externally owned address (EOA), identified as 0x9Fca. Later that same day, funds were withdrawn from the contract.
The attacker resumed the minting process the following morning, minting and dumping NFTs on the market. A few days later, on June 23, the same address assumed control over Peplicator, Hedz, and Zogz contracts, projects also tied to Matt Furie and ChainSaw.
Funds stolen from the ChainSaw-related projects were traced through three wallets. Some of the ETH was later converted and transferred to MEXC, a centralized exchange.
ZachXBT noted that one deposit address at MEXC had received repeated stablecoin transfers over several months, ranging between $2,000 and $10,000, suggesting broader use of the same IT worker network across multiple crypto projects.
Further investigation uncovered GitHub accounts linked to the suspected attackers. According to ZachXBT, one developer who claimed to be based in the U.S. had Korean language settings, used Astral VPN, and operated in Asia/Russia time zones, red flags pointing to North Korean links. Internal logs and payroll connections added more weight to the claims.
Another affected project, Favrr, reportedly lost more than $680,000 on June 25. One of its developers, identified as Alex Hong, is suspected of being a North Korean IT worker. His LinkedIn profile was recently deleted, and efforts to verify his past work experience failed.
ZachXBT said, “The Favrr CTO appears suspicious and is likely one of the two DPRK ITWs hired.”
“The situation is depressing,” ZachXBT added, “because many teams hire DPRK IT workers when basic due diligence could’ve prevented it.”
He also criticized the lack of transparency from Matt Furie and ChainSaw since the incident. According to him, their only public warning to the community was deleted without explanation. Most of the stolen funds from the ChainSaw exploit remain unmoved.
Meanwhile, the Favrr funds were funneled through Gate.io and other channels.
ZachXBT said he plans to release broader statistics soon, highlighting how widespread payments to suspected North Korean workers have become in the crypto space.
North Korean IT Worker Scheme Tied to Ongoing Crypto Exploits as U.S. Seizes $7.7M in Laundered Funds
On June 6, the U.S. Department of Justice filed a civil forfeiture complaint to seize $7.7 million in crypto allegedly earned by North Korean IT operatives posing as remote freelancers.
These workers secured positions at blockchain firms and funneled earnings, often paid in stablecoins like USDC and USDT, back to the North Korean regime, bypassing U.S. sanctions.
Authorities said the operation supports North Korea’s weapons program and was orchestrated through fake identities, sophisticated laundering tactics, and shell companies.
One named figure is Sim Hyon Sop, previously indicted in 2023, with ties to the Foreign Trade Bank of North Korea.
These insider threats are increasingly being linked to external hacks. The notorious Lazarus Group, responsible for the $1.4 billion Bybit theft in February, continues to evolve its methods.
In 2024 alone, North Korean-linked actors stole $1.3 billion across 47 incidents, per Chainalysis.
A newer front in this cyberwar is targeted malware attacks. On June 20, Cisco Talos researchers exposed PylangGhost, a Python-based malware deployed by the Lazarus-affiliated Famous Chollima group.
It disguises itself through fake job interviews and installs credential-stealing malware on victims’ systems, primarily targeting crypto professionals in India.
As North Korea shifts from brute-force hacking to social engineering and insider access, the risks for crypto startups, especially meme coin and NFT communities, continue to grow.
