The 2025 Favrr heist
In a twist worthy of a cyber‑thriller, a group posing as blockchain developers pulled off a $680,000 heist on fan token marketplace Favrr in June 2025, only to be unmasked when one of their own devices was counter‑hacked.
What emerged was startling: Six North Korean operatives had at least 31 fake identities. They carried forged government IDs, phone numbers and fabricated LinkedIn and Upwork profiles. Some even posed as talent from Polygon Labs, OpenSea and Chainlink to infiltrate the crypto industry.
The digital breadcrumbs (screenshots, Google Drive exports, Chrome profiles) revealed just how meticulously they orchestrated the infiltration.
Crypto investigator ZachXBT traced their activity onchain, connecting one wallet address to the Favrr exploit and confirming this was not just a phishing scheme but a coordinated developer‑level infiltration.
Did you know? North Korea-linked hackers stole about $1.34 billion in crypto in 2024, accounting for 60% of global thefts. The attacks spanned 47 incidents, double the number from the previous year.
How the hack was discovered
The Favrr breach came to light through a twist of cyber fate — one of the alleged North Korean operators was counter-hacked.
An unnamed source gained access to one of their devices, unveiling a trove of internal artifacts: screenshots, Google Drive exports and Chrome profiles that mapped out how the hackers coordinated their scheme
These files painted a startling picture: six operatives running at least 31 fake identities.
Their operational playbook was revealed in detail, from spreadsheets that tracked expenses and deadlines to Google Translate facilitating their English-language deception, right down to rented computers, VPNs and AnyDesk for stealthy access.
Crypto sleuth ZachXBT then traced the stolen funds onchain, uncovering a wallet address “closely tied” to the $680,000 Favrr exploit in June 2025.
Together, these revelations confirm this was a deeply coordinated infiltration by skilled actors posing as legitimate developers, all exposed by a device left vulnerable.
The fake developer scheme
The counter-hack revealed an arsenal of fabricated personas that went far beyond mere usernames.
They acquired government-issued IDs, phone numbers and even purchased LinkedIn and Upwork accounts, enabling them to convincingly present themselves as experienced blockchain developers.
Some even impersonated staff from high-profile entities, interviewing as full-stack engineers for Polygon Labs and boasting experience with OpenSea and Chainlink.
The group maintained pre‑written interview scripts, polishing scripted responses tailored to each fake identity.
Ultimately, this layered illusion allowed them to land developer roles and access sensitive systems and wallets, acting from the inside while hiding behind expertly crafted avatars.
This was deep, identity-based infiltration.
The tools and tactics they used
The ingenuity of North Korean hacking here lay in meticulously orchestrated deception using everyday tools.
Coordination among the six operatives was handled via Google Drive exports, Chrome profiles and shared spreadsheets that mapped tasks, scheduling and budgets — all meticulously logged in English and smoothed over with Google Translate between Korean and English.
To execute their infiltration with precision, the team relied on AnyDesk remote access and VPNs, masking their true locations while appearing as legitimate developers to unsuspecting employers. In some cases, they even rented computers to further obfuscate their origin.
Leaked financial documents revealed that their operations were heavily budgeted. In May 2025, the group spent $1,489.80 on operational expenses, including VPN subscriptions, rented hardware and infrastructure needed for maintaining multiple identities.
Behind the guise of professional collaboration lay a carefully engineered illusion, a corporate-like project management system supporting deep intrusions, backed by real-world operational expenditures and technological cover.
Did you know? North Korea’s most advanced cyber unit, Bureau 121, is staffed by some of the regime’s top technical talent, many handpicked from elite universities after an intensive multi-year training process.
Remote job infiltration
The North Korean group behind the Favrr heist used seemingly legitimate job applications (instead of spam or phishing, surprisingly).
Operating through Upwork, LinkedIn and other freelance platforms, they secured blockchain developer roles. With polished personas, complete…
cointelegraph.com