ZachXBT described how the attackers took over ownership of the smart contract, created additional NFTs via the minting function, and then sold them into bids in a post that was posted on X. The impacted collections' floor pricing plummeted to $0 as a result of this action.
The exploit started on June 18, 2025, when Replicandy's ownership was moved to 0x9Fca, an externally owned address (EOA). Money was taken out of the deal later that day.
The next morning, the attacker started minting again and released NFTs onto the market. On June 23, a few days later, the same address took over the contracts for Peplicator, Hedz, and Zogz—projects that were also connected to ChainSaw and Matt Furie.
Three wallets were used to track down funds that were taken from ChainSaw-related projects. Later, a portion of the $ETH was converted and sent to the centralised exchange MEXC.
ZachXBT pointed out that over the course of several months, one deposit address at MEXC had received multiple stablecoin transfers totalling between $2,000 and $10,000, indicating a wider use of the same IT worker network across several crypto projects.
GitHub accounts connected to the accused attackers were discovered after additional investigation. ZachXBT claims that a developer claiming to be headquartered in the United States had red flags indicating North Korean links, including Korean language settings, Astral VPN, and operations in Asia/Russia time zones. Payroll links and internal logs gave the accusations additional support.
On June 25, Favrr, another impacted project, reportedly lost almost $680,000. Alex Hong, one of its developers, is thought to be a North Korean IT professional. Attempts to confirm his prior employment experience were unsuccessful, and his LinkedIn profile was just removed.
"The Favrr CTO looks suspicious and is probably one of the two DPRK ITWs hired," ZachXBT stated.
ZachXBT went on to say, "By hiring DPRK IT workers when basic due diligence could have prevented it, the situation is depressing."
He also criticized the lack of transparency from Matt Furie and ChainSaw since the incident. According to him, their only public warning to the community was deleted without explanation. Most of the stolen funds from the ChainSaw exploit remain unmoved.
Meanwhile, the Favrr funds were funneled through Gate.io and other channels.
ZachXBT said he plans to release broader statistics soon, highlighting how widespread payments to suspected North Korean workers have become in the crypto space.
