In a shocking cyber‑thriller twist, a group posing as blockchain developers pulled off a $680,000 heist on fan token marketplace Favrr in June 2025. The heist was orchestrated by six North Korean operatives with fake identities, infiltrating the crypto industry with forged documents and posing as talent from various companies.

The breach at Favrr was discovered when one of the North Korean operatives was counter-hacked, revealing a trove of internal artifacts that detailed the hackers’ scheme. The group used at least 31 fake identities, meticulously coordinating their infiltration with spreadsheets, rented computers, VPNs, and AnyDesk for stealthy access.

The North Korean operatives went beyond fake identities, acquiring government-issued IDs, phone numbers, and even LinkedIn and Upwork accounts to pose as experienced blockchain developers. Some even impersonated staff from companies like Polygon Labs and OpenSea, using pre-written interview scripts and tailored responses to land developer roles and access sensitive systems.

The North Korean hackers used Google Drive, Chrome profiles, and shared spreadsheets to coordinate their deception. They relied on AnyDesk remote access, VPNs, and rented computers to mask their true identities while appearing as legitimate developers. Financial documents revealed significant operational expenses to maintain multiple identities and support their infiltration.

The North Korean group behind the Favrr heist secured blockchain developer roles through legitimate job applications on platforms like Upwork and LinkedIn. By using polished personas and tailored resumes, they gained access to client systems and wallets under the guise of remote employment, fooling interviewers with deep infiltration and AI-enhanced resumes.

In February 2025, North Korea’s Lazarus Group executed a $1.5 billion Ether heist from the Bybit exchange. The FBI confirmed the hack and warned the crypto industry of North Korea’s broader cybercrime strategy to fund regime activities. North Korea has also used covert means like setting up shell companies to distribute malware to crypto developers.

Read more at Cointelegraph: North Korean “Developers” Infiltrate Crypto Firms