Author: ZachXBT, Crypto Detective; Translation: Golden Finance xiaozou
A team recently asked for my help because someone stole $1.3 million from their vault through malicious code.
What the team didn't know was that they hired multiple North Korean IT personnel with fake identities as developers.
Then, I found at least 25 crypto projects that have been active since June 2024 with these developers.
The money laundering channels of this incident are as follows:
1) Transferring $1.3 million to the stolen address
0xb721adfc3d9fe01e9b3332183665a503447b1d35
Over the past week, as you may have seen, I asked these projects to contact me directly.
Previously, $5.5 million flowed into a foreign exchange deposit address, including payments received by North Korean IT personnel from July 2023 to 2024, which was related to OFAC-sanctioned individual Sim Hyon Sop.
0x8f0212b1a77af1573c6ccdd8775ac3fd09acf014
Some interesting things were found during the investigation:
- Russian telecom IPs were used by developers from the United States and Malaysia.
- In the development records, they accidentally revealed their other identities on the notebook.
- The development payment address involved Sang Man Kim and Sim Hyon Sop on the OFAC sanctions list.
- Some developers were arranged by recruitment companies.
- Multiple projects have more than 3 IT personnel who recommend each other.
Many experienced teams hired these developers, so it's unfair to blame them.
Some indicators teams can look at in the future include:
1) Roles they recommend each other
2) Great resume/GitHub activity, although sometimes they lie about their work experience.
3) Often willing to accept KYC, but submit a fake ID in the hope that the team will not investigate further.
4) Ask specific questions about where they claim to be from.
5) A developer is fired, but several new accounts immediately appear looking for jobs.
6) Can appear to be a great developer at first glance, but often perform poorly on the job.
7) View logs
8) Like to use popular NFT pfps
9) Asian accent
In case you are one of those people who blames everything on North Korea as a huge conspiracy.
Anyway, this research proves that:
In Asia, a single entity can work on 25+ projects at the same time and earn $300k-500k per month by using fake identities.
Follow-up:
Shortly after this post was published, another project discovered that they had hired a North Korean IT guy from my list (Naoki Murano), and the project manager shared my article in their chat.
As a result, within two minutes, Naoki quit the chat and deleted his Github.
AC Milan, the renowned Italian football club, has joined forces with blockchain company Crossmint to introduce Web3 technology, revolutionizing fan engagement and transforming sections of the iconic San Siro Stadium into NFTs, creating a novel fan interaction experience.
Jixu