ZachXBT Traces Recent NFT Hacks To North Korean IT Workers

Blockchain investigator ZachXBT revealed that North Korean IT workers, likely hired as developers, were behind hacks targeting NFT projects tied to Pepe creator Matt Furie and the ChainSaw platform, as well as another project called Favrr. The attacks, which began on June 18, 2025, resulted in approximately $1 million in losses. The hackers gained control of smart contracts, minted new NFTs, and dumped them, crashing floor prices to zero. Specific losses included ~$310,000 from ChainSaw-related projects (Replicandy, Peplicator, Hedz, and Zogz) and ~$680,000 from Favrr.

ZachXBT traced the stolen funds through three wallets, with some ETH converted to stablecoins and moved to the MEXC exchange. He identified suspicious patterns, including a Favrr CTO, Alex Hong, whose unverified work history and deleted LinkedIn profile raised red flags. GitHub accounts linked to the attackers showed Korean language settings and activity in Asia/Russia time zones, further pointing to North Korean involvement. ZachXBT criticized the lack of transparency from Furie and ChainSaw, noting a deleted warning post and disabled communications.

The Matt Furie hacks are part of a broader campaign, with North Korean IT workers infiltrating over 25 crypto projects since June 2024. These operations are highly coordinated, often involving multiple actors posing as independent freelancers across platforms like Upwork or GitHub. The Lazarus Group, suspected in these attacks, is known for long-term campaigns that combine reconnaissance, infiltration, and exploitation.

For example, they’ve used similar tactics in high-profile heists like the $1.5 billion Bybit hack in February 2025. North Korean hackers target the crypto industry’s reliance on pseudonymous interactions and lack of standardized vetting. Many projects, including those tied to Matt Furie, failed to conduct basic due diligence, such as verifying identities or auditing code contributions, allowing hackers to operate undetected.

He emphasized that basic due diligence could have prevented these hires, highlighting North Korea’s ongoing crypto theft tactics, with TRM Labs linking them to ~$1.6 billion in stolen crypto in 2025. The hacks expose vulnerabilities in NFT and DeFi projects, particularly in smart contract management and developer vetting. Inadequate due diligence when hiring developers can lead to catastrophic breaches, as seen with the ~$1 million in losses across ChainSaw and Favrr projects.

The involvement of North Korean IT workers underscores the growing sophistication of state-sponsored cyberattacks targeting crypto and NFT ecosystems. With ~$1.6 billion in crypto stolen by North Korea in 2025 (per TRM Labs), these actors pose a persistent threat, leveraging insider access to exploit projects. Matt Furie and ChainSaw’s lack of transparency—deleting warnings and disabling communications—erodes trust in their projects. Failure to address the breach publicly may deter investors and collectors, further impacting NFT market confidence.

The investigation highlights the need for rigorous vetting of developers, including verifying work histories and scrutinizing online profiles (e.g., GitHub, LinkedIn). Projects must adopt stricter hiring practices to prevent infiltration by malicious actors. High-profile hacks tied to state actors could draw increased regulatory attention to the crypto and NFT space, potentially leading to stricter compliance requirements for platforms and exchanges like MEXC, where stolen funds were traced.

The dumping of minted NFTs to crash floor prices demonstrates how hacks can destabilize markets, harming collectors and investors. This may push projects to implement stronger safeguards, like multi-signature wallets or audited contracts. North Korea’s use of crypto theft to fund state activities (e.g., weapons programs) raises alarms for global security, potentially prompting international efforts to curb such cyberattacks through sanctions or coordinated law enforcement.