North Korean Hackers Steal $1 Million from Web3 Projects
Hackers posing as IT staff have successfully infiltrated multiple Web3 projects, resulting in the theft of nearly $1 million in assets. The attackers targeted NFT collections tied to Pepe creator Matt Furie, exploiting vulnerabilities in internal access control and project security. The affected projects include Favrr, Replicandy, and ChainSaw, among others. The hackers manipulated the NFT minting systems to generate large batches of tokens, which they then offloaded at scale, causing a collapse in market value.
The timeline of the Replicandy exploit reveals a methodically executed breach. On June 18, ownership of the Replicandy contract was transferred to a new address, which later withdrew mint proceeds and resumed minting, eventually crashing the floor price by flooding the market with NFTs. This pattern was repeated on June 23 with additional collections, including Peplicator, Hedz, and Zogz, causing further devaluation and losses totaling over $310,000. On-chain analysis traced the stolen funds through multiple wallets, ultimately uncovering USDT deposits funneled to MEXC and identifying two suspicious GitHub developer accounts linked to the breach.
Internal logs further exposed inconsistencies, such as developers claiming to be U.S.-based while using Korean language settings, Asia/Russia time zones, and Astral VPNs. These red flags strongly suggest the attackers were part of a coordinated North Korean campaign exploiting lax vetting procedures in Web3 hiring. While the Favrr team responded swiftly with enhanced user safety measures, Chainsaw only issued a brief warning and later deleted it. Matt Furie has remained completely silent, hinting at a broader and more troubling reality.
North Korean-linked hackers have become increasingly aggressive in 2025, with researchers attributing over $1.6 billion, roughly 70% of all stolen crypto this year, to state-affiliated groups. The $1.5 billion Bybit breach in February, now believed to be their work, stands as the largest crypto theft in history. These actors, including the notorious Ruby Sleet group, have extended their reach beyond crypto, previously infiltrating U.S. defense contractors and now targeting IT firms through fake hiring campaigns and elaborate social engineering tactics.
In response to the growing wave of crypto-related fraud and security breaches, nations across the globe are stepping up regulatory safeguards. In the United States, the Trump administration is actively advancing a series of pro-crypto policies designed to shield the industry from discriminatory banking practices and excessive regulatory pressure. These include a pending executive order to prohibit financial institutions from targeting crypto firms, efforts to roll back SEC-imposed restrictions like SAB 121, and legislative support for frameworks such as the GENIUS Act to clarify rules for stablecoins and digital assets. Meanwhile, Australia has moved swiftly to address crypto ATM misuse by capping cash transactions at AU$5,000, enforcing stricter identity checks, and requiring real-time scam warnings. Together, these measures reflect a coordinated international shift toward a more secure and accountable Web3 environment.