How Freelance Hackers From North Korea Built a $680,000 Crypto Heist Network

A recent investigation has exposed an alarming operation: a small unit of North Korean IT operatives maintained at least 31 fraudulent identities to infiltrate cryptocurrency platforms and conduct large-scale theft. The largest documented incident involved the theft of $680,000 from the fan token market Favrr in June 2025.

The Infiltration Strategy: Building Credible Freelance Profiles

Intelligence gathered from a compromised device reveals how these North Korean freelance hackers established themselves within the crypto industry. The group created elaborate cover identities, assembling comprehensive documentation including forged government IDs and phone numbers. To appear legitimate on hiring platforms, they purchased established LinkedIn and Upwork accounts, effectively borrowing the credibility of previous users.

Blockchain engineer positions and smart contract development roles became their primary targets. Evidence suggests that one individual applied for a full-stack engineer position at Polygon Labs, while interview transcripts show claims of prior employment at notable crypto entities like OpenSea and Chainlink. These fabricated credentials successfully placed them within unsuspecting cryptocurrency organizations.

Operational Infrastructure: Remote Access and Digital Concealment

Once embedded in crypto projects, the freelance hackers utilized sophisticated remote access software including AnyDesk to perform work while maintaining physical distance from employers. VPN technology masked their geographic location, creating the illusion of legitimate remote workers from other regions.

Google’s suite of tools became central to their operations. Leaked data reveals they managed project schedules, task assignments, and budgets through Google Drive. Chrome profile exports show heavy reliance on Google’s translation services to maintain English-language communication while operating from a non-English speaking region. Financial records document $1,489.8 in operational expenses during May alone.

From Employment to Exploitation: The $680,000 Favrr Breach

The investigation identified direct connections between this infrastructure and specific crypto theft. Wallet address 0x78e1a showed patterns consistent with funds flowing from the June Favrr hack. The blockchain evidence connects to individuals presenting themselves as “Alex Hong” and other developers—all part of the same coordinated North Korean operation. This team had previously targeted the cryptocurrency exchange Bitbit in February, orchestrating a $1.4 billion theft that shocked the industry.

Incidentally, their search history revealed intelligence gathering about broader crypto infrastructure—queries about deploying ERC-20 tokens on Solana and research into European AI development companies suggest expanded targeting interests beyond initial incidents.

The Broader Risk: Why Crypto Companies Remain Vulnerable

Security researchers emphasize that these freelance hackers exploited a fundamental weakness in hiring processes. Despite the relative simplicity of the infiltration methodology, cryptocurrency firms consistently fail to implement adequate due diligence. The sheer volume of applications to development positions creates decision fatigue among hiring teams, leading to compromised vetting.

The fragmentation between cryptocurrency companies and freelance platforms amplifies the problem. Neither ecosystem maintains robust cross-platform verification systems, leaving gaps that determined actors can exploit. U.S. Treasury sanctions against two individuals and four entities involved in North Korean IT worker networks demonstrate governmental awareness of the threat, yet private sector adoption of corresponding security measures remains inconsistent.

The lesson is clear: thorough background verification, cross-platform intelligence sharing, and skepticism toward geographically inconsistent candidate profiles represent necessary defenses against coordinated infiltration attempts by state-sponsored freelance hackers targeting the cryptocurrency sector.