A compromised device from a North Korean IT worker has exposed the inner workings of the team behind the $680,000 Favrr hack and their use of Google tools to target crypto projects.
Summary
- A compromised device belonging to a North Korean IT worker exposed the inner workings of threat actors.
- Evidence shows operatives used Google powered tools, AnyDesk, and VPNs to infiltrate crypto firms.
According to on-chain sleuth ZachXBT, the trail began with an unnamed source who gained access to one of the workers’ computers, uncovering screenshots, Google Drive exports, and Chrome profiles that pulled back the curtain on how the operatives planned and carried out their schemes.
Drawing on wallet activity and matching digital fingerprints, ZachXBT verified the source material and tied the group’s cryptocurrency dealings to the June 2025 exploit of the fan-token marketplace Favrr. One wallet address, “0x78e1a,” showed direct links to stolen funds from the incident.
Inside the operation
The compromised device showed that the small team — six members in total — shared at least 31 fake identities. To land blockchain development jobs, they amassed government-issued IDs and phone numbers, even buying LinkedIn and Upwork accounts to complete their cover.
An interview script found on the device showed them boasting of experience at well-known blockchain firms, including Polygon Labs, OpenSea, and Chainlink.
Google tools were central to their organized workflow. The threat actors were found to be using drive spreadsheets to track budgets and schedules, while Google Translate bridged the language gap between Korean and English.
Among the information pulled from the device was a spreadsheet that showed IT workers were renting computers and paying for VPN access to buy fresh accounts for their operations.
The team also relied on remote access tools such as AnyDesk, allowing them to control client systems without revealing their true locations. VPN logs tied their activity to multiple regions, masking North Korean IP addresses.
Additional findings revealed the group looking up ways to deploy tokens across different blockchains, scouting AI firms in Europe, and mapping out fresh targets in the crypto space.
North Korean threat actors use remote jobs
ZachXBT found the same pattern flagged in multiple cybersecurity reports — North Korean IT workers landing legitimate remote jobs to slip into the crypto sector. By posing as freelance developers, they gain access to code repositories, backend systems, and wallet infrastructure.
One document uncovered on the device was interview notes and preparation materials likely meant to be kept on-screen or nearby during calls with potential employers.
