A suspected DPRK IT worker was employed at THORSwap
Contents
A suspected DPRK IT worker was employed at @THORSwap ⚡ #BetterThanCEX and had at least 3 pull requests MERGED into the official swapkit/SwapKit repository — the core SDK powering ThorSwap's cross-chain swap infrastructure.
The PRs modified wallet integration code for Talisman, Polkadot.js, and Chainflip.
Here's what we found.
ZachXBT
ZachXBT
@zachxbt
Feb 14
View on Twitter
Conveniently left out the fact that you are a cyber criminal that operates the Chinese darknet market ‘FreeCity’
You openly advertise illicit services such as human trafficking / hitman openly on Telegram.
You also have knowingly laundered 5+ hacks for DPRK as their OTC.
I also know you’re aware as two years ago you asked me to check why a CEX account got frozen and it traced back onchain to a 9 figure DPRK heist.
🧵2/13
The operator used 4 GitHub accounts linked by shared number patterns ("914" and "425"):
smartdev914 ([email protected]) - 38 repos, main portfolio.
promisingdev425 -14 repos, job application persona
onedev425 ([email protected]) - 9 repos, …
The PRs modified wallet integration code for Talisman, Polkadot.js, and Chainflip.
Here's what we found.
ZachXBT
ZachXBT
@zachxbt
Feb 14
View on Twitter
Conveniently left out the fact that you are a cyber criminal that operates the Chinese darknet market ‘FreeCity’
You openly advertise illicit services such as human trafficking / hitman openly on Telegram.
You also have knowingly laundered 5+ hacks for DPRK as their OTC.
I also know you’re aware as two years ago you asked me to check why a CEX account got frozen and it traced back onchain to a 9 figure DPRK heist.
🧵2/13
The operator used 4 GitHub accounts linked by shared number patterns ("914" and "425"):
smartdev914 ([email protected]) - 38 repos, main portfolio.
promisingdev425 -14 repos, job application persona
onedev425 ([email protected]) - 9 repos, …