A compromised device from a Noord -Korean IT employee has exposed the inner operation of the team behind the $ 680,000 Favrr -Hack and their use of Google tools to direct crypto projects.
Summary
- A compromised device from a North Korean IT employee has uncovered the inner operation of threat actors.
- Evidence shows that employees have used Google Powered Tools, Anydesk and VPNs to infiltrate crypto companies.
According to the detective Zachxbt, the path started with an unnamed source that gained access to one of the computers of the employees, pencil Screenshots, Google Drive export and chrow profiles that withdrew the curtain about how the agents had planned and executed their schemes.
Based on wallet activity and matching digital fingerprints, Zachxbt has verified the source material and tied the Cryptocurrency transactions of the group to the execution of June 2025 of the Fan-Token Marketplace Favrr. One wallet address, “0x78e1a”, showed direct links to stolen funds of the incident.
In the operation
The compromised device showed that the small team – a total of six members – shared at least 31 fake identities. To land jobs in the development of blockchain, they have collected IDs and telephone numbers issued by the government, so that LinkedIn and Upwork accounts were even bought to complete their coverage.
An interview script on the device showed them with experience at well-known blockchain companies, including Polygon Labs, OpenSea and Chainlink.
Google -Tools were central to their organized workflow. The threat actors were found to use Drive spreadsheets to keep track of budgets and schedules, while Google bridged the language gap between Korean and English.
One of the information that was taken out of the device was a spreadsheet that demonstrated that employees rented computers and paid for VPN access to buy new accounts for their activities.
The team also trusted external access tools such as Anydesk, so that they could control customer systems without revealing their true locations. VPN logbooks tied their activity to several regions and masked North Korean IP addresses.
Extra findings revealed that the group was looking for ways to implement tokens in different block chains, to explore AI companies in Europe and to map new goals in the crypto space.
North -Korean threat actors use distance jobs
Zachxbt found the same pattern marked in multiple cyber security reports -Noord -Korean IT employees countries Landy external jobs to slide into the crypto sector. By introducing themselves as freelance developers, they get access to code repositories, backend systems and wallet -infrastructure.
A document that was discovered on the device was interview notes and preparation material that is probably held on the screen or nearby during calls with potential employers.
