TL;DR
- Blockchain analyst ZachXBT uncovered a coordinated exploit impacting projects linked to Pepe creator Matt Furie and ChainSaw, as well as the Favrr platform.
- The incidents, traced back to suspected North Korean IT workers accidentally hired as developers, resulted in over $1 million in digital assets being drained.
- The investigation highlights persistent security gaps and how social engineering can compromise high-profile Web3 initiatives.
According to a detailed thread published by ZachXBT, the attack began on June 18, 2025, when control of Replicandy, a ChainSaw project, was transferred to a new Ethereum address. The attacker proceeded to withdraw mint proceeds, unpause the contract, and mint new NFTs which were then dumped into the market. This malicious activity caused the floor price of several collections, including Replicandy, Hedz, and Zogz, to crash to zero.
Two days later, the same wallet—0x9Fca—was used to transfer ownership of additional NFT projects and repeat the same exploitative pattern. ZachXBT traced more than $310,000 stolen from these collections alone, with funds being shuffled between three specific wallets to obfuscate the trail.
Favrr Platform Also Compromised In Separate Attack
On June 25, the platform Favrr was exploited for over $680,000, bringing the total losses from both incidents to more than $1 million. Analysis suggests both exploits are connected to the same group of DPRK-based IT workers. These individuals appear to have been hired unknowingly by the affected projects, despite warning signs such as foreign-language settings, VPN usage, and suspicious activity logs.
GitHub profiles, wallet addresses, and even LinkedIn evidence helped identify several DPRK operatives involved. One of the suspected individuals, using the alias Alex Hong, served as CTO at Favrr. His online presence has since been erased, and his employment history remains unverifiable. The attackers used multiple wallet layers and crypto exchanges to obfuscate fund trails, complicating recovery efforts for the stolen assets. Some transactions were even funneled through less-regulated services.
Industry Faces Growing Threat From Sophisticated Insider Exploits
While most of the funds from ChainSaw remain dormant, assets stolen from Favrr were moved to exchanges like Gate and MEXC. Attempts to contact the affected teams have failed due to inactive communication channels.
ZachXBT announced plans to release a broader dataset outlining financial flows to North Korean developer networks. He also emphasized that these attacks were likely preventable through better hiring scrutiny, urging Web3 startups to apply stricter operational due diligence moving forward. Projects must now adapt faster, improve hiring filters, and avoid over-reliance on anonymous contributors. Stronger screening, real-time audits, and better access controls may prove crucial in preventing similar breaches.
