A team of North Korean IT agents used 31 fake identities and is suspected of hacking the fan token market Favrr in June, causing losses of $680,000.

According to recent leaked screenshots from an employee's device, a small group of North Korean IT workers is linked to a $680,000 cryptocurrency hacking incident that occurred in June, and they have been using Google products and even renting computers to infiltrate cryptocurrency projects.

On Wednesday, ZachXBT shared in an X post how North Korean hackers operate internally. This information came from an 'anonymous source' who successfully hacked into one of their devices.

Staff linked to North Korea exploited the cryptocurrency exchange Bitbit in February to steal $1.4 billion in funds and have stolen millions from cryptocurrency protocols over the years.

Data shows that a small team of six North Korean IT workers shared at least 31 fake identities, gathering everything from government IDs and phone numbers to purchasing LinkedIn and UpWork accounts to conceal their true identities and gain cryptocurrency jobs.

It is alleged that one employee interviewed for a full-stack engineer position at Polygon Labs, while other evidence shows they claimed to have experience working for NFT marketplace OpenSea and blockchain oracle provider Chainlink in the interview script.

Google, remote work software

Leaked documents show that North Korean IT workers secured positions as 'blockchain developers' and 'smart contract engineers' on freelance platforms like Upwork and then used remote access software like AnyDesk to complete work for unsuspecting employers. They also used VPNs to hide their true locations.

Google Drive export data and Chrome profiles show that they used Google tools to manage schedules, tasks, and budgets, primarily communicating in English while using Google's Korean-English translation tools.

A spreadsheet shows that the IT staff's operational expenses totaled $1,489.8 in May.

North Korean IT workers are linked to a recent $680,000 cryptocurrency hack

ZachXBT stated that North Koreans often use Payoneer to convert fiat currency into cryptocurrency for work, and one wallet address '0x78e1a' is 'closely related' to the $680,000 breach that occurred in June 2025 in the fan token market Favrr.

At that time, ZachXBT claimed that the project's chief technology officer 'Alex Hong' and other developers were actually disguised North Korean workers.

This evidence also provided them insights into areas of interest. One search inquired whether ERC-20 tokens could be deployed on Solana, while another search sought information about leading AI development companies in Europe.

Cryptocurrency companies need to conduct more due diligence

ZachXBT urged cryptocurrency and tech companies to conduct more thorough background checks on potential employees—and pointed out that many of these operations are not very complex, but the volume of applications often leads hiring teams to be careless.

He added that the lack of collaboration between tech companies and freelance platforms further exacerbates this issue.

Last month, the U.S. Treasury took action against two individuals and four entities involved in a North Korean-controlled IT worker gang infiltrating cryptocurrency companies.