DPRK IT Worker-Related Account Takeover
Contents
Here’s an interesting mystery for you all involving a DPRK IT worker (*turned hacker).
Let’s start with a rather unusual victim: @wavesprotocol, a project involved in a $500M heist in 2024.
Discovery
During routine scanning for DPRK-related GitHub activity, we found an active North Korea-related account involved with Keeper-Wallet (a Waves wallet Chrome extension) development. However, it was not the usual scenario of freelance-type engagement we often observe.
Keeper-Wallet is a child project of Waves Protocol, an ecosystem-specific wallet that was being developed by the Waves team before their massive rug pull.
First of all, the Keeper-Wallet organization was inactive until 3 weeks ago. The last (non-DPRK) commit was pushed in August 2023. Suddenly, some repositories started to receive commits in May 2025. These were mostly dependency updates in npm/yarn. On its own, this was slightly weird (beyond Waves’ reputation), but not outright alarming, until…
Compromise
We noticed the account performing these updates has enough privileges to …
Let’s start with a rather unusual victim: @wavesprotocol, a project involved in a $500M heist in 2024.
Discovery
During routine scanning for DPRK-related GitHub activity, we found an active North Korea-related account involved with Keeper-Wallet (a Waves wallet Chrome extension) development. However, it was not the usual scenario of freelance-type engagement we often observe.
Keeper-Wallet is a child project of Waves Protocol, an ecosystem-specific wallet that was being developed by the Waves team before their massive rug pull.
First of all, the Keeper-Wallet organization was inactive until 3 weeks ago. The last (non-DPRK) commit was pushed in August 2023. Suddenly, some repositories started to receive commits in May 2025. These were mostly dependency updates in npm/yarn. On its own, this was slightly weird (beyond Waves’ reputation), but not outright alarming, until…
Compromise
We noticed the account performing these updates has enough privileges to …
IoC
https://github.com/msmolyakov
https://github.com/Keeper-Wallet/provider-keeper
https://www.npmjs.com/package/@waves/provider-keeper
https://github.com/wavesplatform
https://web3tech.ru/
https://github.com/AhegaoXXX
https://github.com/Keeper-Wallet/Keeper-Wallet-Extension
https://www.npmjs.com/package/@waves/bignumber
https://www.npmjs.com/package/@waves/provider-metamask
https://www.npmjs.com/package/@waves/node-api-grpc
https://www.npmjs.com/package/@waves/protobuf-serialization
https://chromewebstore.google.com/detail/keeper-wallet/lpilbniiabackdjcionkobglmddfbcjo
https://www.npmjs.com/package/@waves/waves-transactions
https://github.com/Keeper-Wallet
https://www.npmjs.com/~msmolyakov-waves
[email protected]
[email protected]
https://github.com/Keeper-Wallet/provider-keeper
https://www.npmjs.com/package/@waves/provider-keeper
https://github.com/wavesplatform
https://web3tech.ru/
https://github.com/AhegaoXXX
https://github.com/Keeper-Wallet/Keeper-Wallet-Extension
https://www.npmjs.com/package/@waves/bignumber
https://www.npmjs.com/package/@waves/provider-metamask
https://www.npmjs.com/package/@waves/node-api-grpc
https://www.npmjs.com/package/@waves/protobuf-serialization
https://chromewebstore.google.com/detail/keeper-wallet/lpilbniiabackdjcionkobglmddfbcjo
https://www.npmjs.com/package/@waves/waves-transactions
https://github.com/Keeper-Wallet
https://www.npmjs.com/~msmolyakov-waves
[email protected]
[email protected]