One million dollar hack of "Pepe" projects: Fingers point to North Korea
Introduction: An escalating threat in the cryptocurrency space
In a new blow to the world of digital assets, a group of NFT projects associated with the famous frog character "Pepe" fell victim to a widespread cyber attack, resulting in losses estimated at one million US dollars. Investigations led by independent investigator ZachXBT revealed that the attack bore the fingerprints of a hacking network linked to North Korea, raising growing concerns about cybersecurity in the cryptocurrency space.
This attack was not a random act but a calculated operation targeting smart contracts and carried out through covert recruitment of elements within the teams of the affected projects. This incident once again emphasizes the pivotal role of independent investigators in tracking cross-border criminal activities and uncovering structural vulnerabilities in the digital ecosystem.
---
Hack details: Systematic seizure and draining
The series of attacks began on June 18, when the contract for the Replicandy project belonging to Chainsaw was seized by transferring ownership to an external address known as (0x9Fca). The attackers not only withdrew mining revenues but also restarted the minting operations of NFTs and sold them extensively, leading to a market value collapse to zero.
Later, on June 23, three additional smart contracts belonging to Chainsaw (namely: Peplicator, Hedz, and Zogz) were hacked in the same manner. ZachXBT estimates that the total losses from these operations amounted to about $310,000.
On June 25, it was Favrr's turn, where the hackers exploited a payroll relationship to gain access to the system, resulting in the theft of about $680,000 from the project shortly after its listing on a decentralized exchange.
Damage summary
Project Type of Hack Approximate Losses
Chainsaw Seizure of smart contracts and sale of NFTs 310,000 dollars
Favrr Hack via employee payroll 680,000 dollars
Total 1,000,000 dollars
---
Threads linking the attack to North Korea
What distinguishes this hack is its direct connection to a North Korean hacking network, according to ZachXBT's investigation. It was found that the attackers succeeded in infiltrating the internal teams of Chainsaw and Favrr projects through covert recruitment, as they held significant positions such as IT employee and CTO.
Through analyzing suspicious GitHub accounts, accounts "devmad119" and "sujitb2114" were linked to North Korean developers, through technical indicators such as Korean language settings, use of Astral VPN, and operation timings from time zones in Asia and Russia, despite their claims of being located in the United States.
Known method: Covert recruitment
These methods reflect a recurring pattern followed by groups like Lazarus, a notorious hacking group backed by the North Korean regime, which has previously executed hacks worth billions of dollars in the cryptocurrency market.
---
ZachXBT: The Unknown Guardian of Blockchain Chains
ZachXBT reemerged as a crucial element in uncovering the threads of this digital crime. Through precise on-chain analysis, he was able to trace the flow of funds and analyze suspicious wallets, in addition to linking the digital data to GitHub accounts and developers involved in the targeted projects.
Despite his efforts, ZachXBT faced difficulties in communicating with the hacked project teams, as support and communication channels (like Telegram and Discord) were closed or ineffective, hindering the speed of response and recovery.
---
Reactions: Variability in responsibility and transparency
Chainsaw issued a brief warning about the hack and later deleted it, amid silence from Pepe character founder Matt Furie, who disabled his messages on platform X.
Favrr: Took a responsible stance by announcing its intention to refund participants, delisting from the MEXC exchange, and starting a comprehensive internal audit.
Reactions summarized
Party Response Notes
Chainsaw Warning then deletion Lack of transparency
Favrr Recovery and audit Responsible and proactive handling
Matt Furie Silence Lack of communication
---
Lessons learned: Employment security before code
This incident reveals a critical vulnerability in cryptocurrency projects: the absence of due diligence procedures in recruitment. An excessive focus on technical aspects has led to overlooking human threats, as a malicious actor can infiltrate sensitive systems through a job position without the need for external hacks.
---
Conclusion: A wake-up call
The hack of Pepe projects serves as a strong warning to the digital currency community. Threats are no longer limited to software vulnerabilities; they now include complex human infiltration strategies led by state-backed entities. In this context, the importance of enhancing cybersecurity increases, not only at the level of smart contracts but also in recruitment and internal communication processes.
Transparency, independent investigation, and ongoing fortification are the pillars that can ensure a safer future for the global digital assets community.
