Recently a team reached out to me for assistance after $1.3M was stolen
Contents
1/ Recently a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed.
Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities.
I then uncovered 25+ crypto projects with related devs that have been active since June 2024.
2/ The laundering path for the incident can be described as:
1) Transfer $1.3M to theft address
2) Bridge $1.3M from Solana to Etheruem via deBridge
3) Deposit 50.2 ETH to Tornado
4) Transfer 16.5 ETH to two exchanges
Theft address
6USfQ9BX33LNvuR44TXr8XKzyEgervPcF4QtZZfWMnet
3/ Using multiple payment addresses for 21 devs I was able to map out a cluster with the most recent batch of payments for ~$375K over the last month.
0xb721adfc3d9fe01e9b3332183665a503447b1d35
In the past week you may have seen me tagging projects telling them to DM me.
4/ Prior to this $5.5M flowed into an exchange deposit address …
Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities.
I then uncovered 25+ crypto projects with related devs that have been active since June 2024.
2/ The laundering path for the incident can be described as:
1) Transfer $1.3M to theft address
2) Bridge $1.3M from Solana to Etheruem via deBridge
3) Deposit 50.2 ETH to Tornado
4) Transfer 16.5 ETH to two exchanges
Theft address
6USfQ9BX33LNvuR44TXr8XKzyEgervPcF4QtZZfWMnet
3/ Using multiple payment addresses for 21 devs I was able to map out a cluster with the most recent batch of payments for ~$375K over the last month.
0xb721adfc3d9fe01e9b3332183665a503447b1d35
In the past week you may have seen me tagging projects telling them to DM me.
4/ Prior to this $5.5M flowed into an exchange deposit address …