The 2025 favrr robbery
In a torsion worthy of a cyber-thriller, a group pretending to be blockchain developers managed a robbery of $ 680,000 on the Favrr fans token market in June 2025, to be exposed during one of their own devices.
What emerged was surprising: six North Korean agents had at least 31 false identities. They transported forged government identifiers, telephone numbers and linked linked profiles and manufactured upWork. Some have even presented themselves as Talents of Polygon Labs, OpenSsea and Chainlink to infiltrate the cryptographic industry.
The digital breadcrumbs (screenshots, Google Drive exports, chrome profiles) revealed how meticulously infiltration they orchestrated.
The Crypto Zachxbt investigator traced their activity in ONCHAIN, connecting a portfolio address to the favrr feat and confirming that it was not only a phishing scheme but an infiltration at the level of coordinated developers.
Did you know? North pirates in North Korea stole approximately $ 1.34 billion in crypto in 2024, representing 60% of world flights. The attacks lasted 47 incidents, double the number of the previous year.
How the hack was discovered
The favrr violation was revealed through a torsion of the Cyber is out – one of the so -called North Korean operators was counterclockwise.
An anonymous source had access to one of their aircraft, revealing an internal artefact mine: screenshots, Google Drive exports and chrome profiles that have mapped how the pirates coordinated their diagram
These files have painted a surprising image: six agents performing at least 31 false identities.
Their operational gaming book was revealed in detail, calculation sheets that followed the expenses and deadlines to Google Translate facilitating their deception in English, to the rented computers, VPN and Anydesk for furtive access.
Sleuth Crypto Zachxbt then traced the stolen funds in Onchain, discovering a “closely linked” portfolio address to the favrr of $ 680,000 in June 2025.
Together, these revelations confirm that it was an infiltration deeply coordinated by qualified actors presenting themselves as legitimate developers, all exposed by a device left vulnerable.
The false developer scheme
The counter-hack revealed an arsenal of manufactured characters who went far beyond simple user names.
They have acquired identifiers issued by the government, telephone numbers and even bought Linkedin and Upwork accounts, allowing them to present themselves convincingly as experienced blockchain developers.
Some have even come from the identity of high -level entities personnel, interviews as a full storage engineers for Polygon Labs and a praise of experience with Opensea and Chainlink.
The group maintained pre-written interview scripts, scripted polishing responses adapted to each false identity.
In the end, this illusion in layers allowed them to land the roles of developers and access to sensitive systems and wallets, acting from the inside while hiding behind avatars designed in an expert manner.
It was a deep and identity -based infiltration.
The tools and tactics they used
The ingenuity of North Korean piracy here was in a meticulously orchestrated deception using everyday tools.
The coordination between the six agents was managed via Google Drive exports, chrome profiles and shared calculation sheets that have mapped tasks, planning and budgets – all meticulously connected in English and smoothed with Google Translate between Korean and English.
To execute their infiltration precisely, the team relied on any remote access and VPN, masking their real locations while appearing as legitimate developers to without distrust employers. In some cases, they even rented computers to further obscure their origin.
Differentiated financial documents have revealed that their operations were strongly budgeted. In May 2025, the group spent $ 1,489.80 on operational expenses, including VPN subscriptions, rented equipment and the infrastructure necessary to maintain several identities.
Behind the professional collaboration was a carefully modified illusion, a project management system of the company type supporting deep intrusions, supported by operational expenses of the real world and technological coverage.
Did you know? The most advanced cyber-unit in North Korea, Bureau 121, is made up of some of the best technical talents of the diet, many of which were handpicked in elite universities after a multi-year training process.
Remote infiltration
The North Korean group behind the FAVRR robbery used apparently legitimate job requests (instead of spam or phishing, surprisingly).
By operating via Upwork, LinkedIn and other independent platforms, they obtained blockchain developer roles. With polite characters, with custom curriculum vitae and ready -to -maintenance scripts, they had access to customer systems and wallets under the cover of remote use. The infiltration was so authentic that some investigators probably suspected nothing wrong.
This tactic is representative of something bigger. Investigations reveal a wider and well-established scheme: North Korean IT agents regularly infiltrate organizations by obtaining positions at a distance. These infiltrators pass back and reference checks using Deepfake and Curriculum Vitae tools, providing services while opening the way to malicious activity.
Essentially, the threat of cyber-espionage is not limited to malicious software. This event shows that it is also integrated into confidence access via remote work infrastructure.
Did you know? By 2024, North Korea had approximately 8,400 cyber-agents integrated around the world, posing as distant workers to infiltrate businesses and generate illicit income, in particular funds to the regime’s arms programs.
Broader and op context supported by the State
In February 2025, the Lazarus group of North Korea (operating under alias Traderraitor) executed the largest cryptocurrency robbery to date, flying about 1.5 billion dollars of ether from the exchange of Bybit during a transfer of routine portfolio.
The US Federal Office of the Survey has confirmed hacking and warned the cryptographic industry to block suspicious addresses, noting this attack in the context of the broader cybercrime strategy of North Korea to finance its diet, including nuclear and missile programs.
Beyond massive direct flights, North Korea has also exploited more secret means. Cybersecurity researchers, including Silent Push, discovered that Lazarus affiliates created American screen companies, Blocknovas and SoftGlide, to distribute malicious software to unlimited cryptographic developers thanks to false job offers.
These campaigns have infected targets by stumps like Beavertail, Invisibleferret and Ottercookie, granting remote access and allowing an identification flight.
These techniques reveal a double threat: cheeky level of exchange and infiltration of stealth initiates. The primordial objective remains coherent: generating illicit income under the radar of sanctions.
It should be remembered that these cybercrime operations are at the heart of funding weapons programs in North Korea and supporting the regime’s foreign buoy.