Someone hacked a North Korean hacker… what they uncovered will shock the crypto world

A North Korean hacking cell — accused of siphoning millions from the crypto industry — has been exposed in a rare digital counter-attack, revealing their secret methods, fake identities, and infiltration of high-profile blockchain companies.

ALSO READ : WhatsApp warns Russia is trying to silence over 100 million people by blocking private calls

According to blockchain sleuth ZachXBT an unnamed source managed to compromise one of the hackers’ devices, giving the public a rare inside look at the daily operations of DPRK IT operatives. The revelations link the group to a $680,000 exploit targeting fan-token marketplace Favrr in June 2025.

But this was no isolated incident. The same network has been connected to the $1.4 billion hack of crypto exchange Bitbit earlier this year, along with years of silent theft from various DeFi protocols.

Fake faces, real crime

The leaked data shows the small, tight-knit team consists of just six North Korean operatives — yet they operate under at least 31 fake identities. These identities include forged government IDs, rented phone numbers, and purchased accounts on LinkedIn and Upwork enabling them to secure remote crypto development jobs under false pretenses.

In one chilling example, a member even interviewed for a full-stack engineer role at Polygon Labs while others claimed experience at OpenSea and Chainlink . Evidence shows they used scripted interview answers to pass as legitimate blockchain engineers.

How they work — and hide

Once hired, the operatives gained remote access to projects using tools like AnyDesk , while masking their locations through VPNs .

Leaked Google Drive exports and Chrome profiles revealed they organized tasks, budgets, and schedules in English — often relying on Google Translate’s Korean-to-English tool to communicate with unsuspecting employers.

The team’s expense sheet for May 2025 showed $1,489.80 spent on their operations, covering software tools, identity rentals, and crypto transaction fees.

From fiat to stolen crypto

The hackers reportedly used Payoneer to convert fiat into cryptocurrency. One wallet address — 0x78e1a — is allegedly tied directly to the Favrr exploit, funneling the stolen $680,000 through a web of transactions.

ZachXBT’s investigation underscores how these operatives blend into the global freelance economy, working quietly for unsuspecting blockchain startups while secretly exfiltrating funds.

An ongoing global threat

Cybersecurity experts warn that North Korea’s state-backed hacking units remain one of the most aggressive actors in the crypto theft landscape. By infiltrating projects from the inside, they bypass traditional security measures, making detection extremely difficult.

This latest leak has sparked calls for stricter hiring verification in the crypto industry, especially on global freelance platforms where identity checks can be manipulated.

As for the compromised hacker, their future within the DPRK’s cyber unit remains unknown — but their digital trail has now become a treasure trove for global investigators.