The 2025 Favrr heist

In a twist worthy of a cyber‑thriller, a group posing as blockchain developers pulled off a $680,000 heist on fan token marketplace Favrr in June 2025, only to be unmasked when one of their own devices was counter‑hacked.

What emerged was startling: Six North Korean operatives had at least 31 fake identities. They carried forged government IDs, phone numbers and fabricated LinkedIn and Upwork profiles. Some even posed as talent from Polygon Labs, OpenSea and Chainlink to infiltrate the crypto industry.

The digital breadcrumbs (screenshots, Google Drive exports, Chrome profiles) revealed just how meticulously they orchestrated the infiltration. 

Crypto investigator ZachXBT traced their activity onchain, connecting one wallet address to the Favrr exploit and confirming this was not just a phishing scheme but a coordinated developer‑level infiltration.

Did you know? North Korea-linked hackers stole about $1.34 billion in crypto in 2024, accounting for 60% of global thefts. The attacks spanned 47 incidents, double the number from the previous year.

How the hack was discovered

The Favrr breach came to light through a twist of cyber fate — one of the alleged North Korean operators was counter-hacked. 

An unnamed source gained access to one of their devices, unveiling a trove of internal artifacts: screenshots, Google Drive exports and Chrome profiles that mapped out how the hackers coordinated their scheme 

These files painted a startling picture: six operatives running at least 31 fake identities.

Their operational playbook was revealed in detail, from spreadsheets that tracked expenses and deadlines to Google Translate facilitating their English-language deception, right down to rented computers, VPNs and AnyDesk for stealthy access.

Crypto sleuth ZachXBT then traced the stolen funds onchain, uncovering a wallet address “closely tied” to the $680,000 Favrr exploit in June 2025. 

Together, these revelations confirm this was a deeply coordinated infiltration by skilled actors posing as legitimate developers, all exposed by a device left vulnerable.

See anyone you know - List of North Korean scammer fake identities

The fake developer scheme

The counter-hack revealed an arsenal of fabricated personas that went far beyond mere usernames.

They acquired government-issued IDs, phone numbers and even purchased LinkedIn and Upwork accounts, enabling them to convincingly present themselves as experienced blockchain developers.

Some even impersonated staff from high-profile entities, interviewing as full-stack engineers for Polygon Labs and boasting experience with OpenSea and Chainlink.

The group maintained pre‑written interview scripts, polishing scripted responses tailored to each fake identity. 

Ultimately, this layered illusion allowed them to land developer roles and access sensitive systems and wallets, acting from the inside while hiding behind expertly crafted avatars

This was deep, identity-based infiltration.

The tools and tactics they used

The ingenuity of North Korean hacking here lay in meticulously orchestrated deception using everyday tools.

Coordination among the six operatives was handled via Google Drive exports, Chrome profiles and shared spreadsheets that mapped tasks, scheduling and budgets — all meticulously logged in English and smoothed over with Google Translate between Korean and English.

To execute their infiltration with precision, the team relied on AnyDesk remote access and VPNs, masking their true locations while appearing as legitimate developers to unsuspecting employers. In some cases, they even rented computers to further obfuscate their origin.

Leaked financial documents revealed that their operations were heavily budgeted. In May 2025, the group spent $1,489.80 on operational expenses, including VPN subscriptions, rented hardware and infrastructure needed for maintaining multiple identities.

Behind the guise of professional collaboration lay a carefully engineered illusion, a corporate-like project management system supporting deep intrusions, backed by real-world operational expenditures and technological cover.

Did you know? North Korea’s most advanced cyber unit, Bureau 121, is staffed by some of the regime’s top technical talent, many handpicked from elite universities after an intensive multi-year training process.

Remote job infiltration

The North Korean group behind the Favrr heist used seemingly legitimate job applications (instead of spam or phishing, surprisingly).

Operating through Upwork, LinkedIn and other freelance platforms, they secured blockchain developer roles. With polished personas, complete with tailored resumes and interview-ready scripts, they gained access to client systems and wallets under the guise of remote employment. The infiltration was so authentic that some interviewers likely never suspected anything was amiss.

A tailored interview-ready script that the group were, supposedly, using

This tactic is representative of something greater. Investigations reveal a broader, well-established pattern: North Korean IT operatives routinely infiltrate organizations by securing remote positions. These infiltrators pass background and reference checks using deepfake tools and AI-enhanced resumes, delivering services while paving the way for malicious activity.

In essence, the cyber-espionage threat isn’t limited to malware. This event shows that it’s also embedded within trusted access through remote work infrastructure.

Did you know? By 2024, North Korea had around 8,400 cyber operatives embedded worldwide, posing as remote workers to infiltrate companies and generate illicit revenue, particularly channeling funds toward the regime’s weapons programs.

Broader context and state-backed ops

In February 2025, North Korea’s Lazarus Group (operating under the alias TraderTraitor) executed the largest cryptocurrency heist to date, stealing approximately $1.5 billion in Ether from the Bybit exchange during a routine wallet transfer.

The US Federal Bureau of Investigation confirmed the hack and warned the crypto industry to block suspicious addresses, noting this attack as part of North Korea’s broader cybercrime strategy to fund its regime, including nuclear and missile programs.

Beyond massive direct thefts, North Korea has also leveraged more covert means. Cybersecurity researchers, including Silent Push, discovered that Lazarus affiliates set up US shell companies, Blocknovas and Softglide, to distribute malware to unsuspecting crypto developers through fake job offers. 

These campaigns infected targets with strains like BeaverTail, InvisibleFerret and OtterCookie, granting remote access and enabling credential theft.

These techniques reveal a dual threat: brazen exchange-level attacks and stealthy insider infiltration. The overarching goal remains consistent: to generate illicit revenue under the radar of sanctions. 

It’s worth remembering that such cybercrime operations are central to funding North Korea’s weapons programs and sustaining the regime’s foreign-currency lifeline.