North Korean hackers infiltrate meme tokens, linked to $1M in losses

The latest investigations show multiple meme token projects may be compromised by connections to North Korean hackers. Multiple profiles have been intercepted by ZachXBT and other investigators and linked to known exploits. 

Meme tokens may not be safe from DPRK hackers, as recently several projects were compromised, leading to losses of up to $1M. For now, the effect seems limited, only affecting relatively new tokens. However, evidence shows that DPRK hackers are active in meme space, potentially infiltrating Ethereum and Solana projects. 

Some of the attacked projects were linked to the cartoonist Matt Furie, creator of the iconic Pepe image. ZachXBT traced one set of attacks that affected NFT collections. Chain/saw and Favvr were also among the exploited projects. 

1/ Multiple projects tied to Pepe creator Matt Furie & ChainSaw as well as another project Favrr were exploited in the past week which resulted in ~$1M stolen

My analysis links both attacks to the same cluster of DPRK IT workers who were likely accidentally hired as developers. pic.twitter.com/85JRm5kLQO

— ZachXBT (@zachxbt) June 27, 2025

In a series of attacks, new NFTs were minted on several projects, leaving the floor price to fall to zero. ZachXBT traced some of the wallets used to the profiles and repositories of blockchain developers with suspected connections to the North Korean regime. 

One of the identified hackers was hired by the Favvr project, which ended up losing over $680K. Alex Hong, the Favvr project CTO, was also suspected. He left social media in May and deleted the affiliated LinkedIn account. Previously, DPRK hackers were involved in Web 3.0 projects, mostly leading to compromised smart contracts. 

DPRK hackers present as Solana teams

Token creation on Pump.fun is generally democratic. However, DPRK hackers are also offering code to automate token creation or trading. 

Recent investigators discovered a series of social media accounts and GitHub profiles, claiming to be linked to North Korean hackers. Some of the profiles already offer code for multiple chains, including Ethereum, BNB Smart Chain, Base, Arbitrum, and others. One of the identified hacker accounts also shared a Solana copy-trading tool. The accounts were also busy touting their services, advertising direct hiring from their profiles while disparaging other software developer agencies. 

Some of the hackers have formed teams with old social media accounts. The end goal is to be hired as blockchain developers, potentially compromising meme tokens and other projects. 

Can’t let @browsercookies have all the fun.

Gang, meet the DPRK-made dev shop team that loves Solana, uses aged accounts, is active on Twitter and managed to get at least one facilitator in Canada. We’ll go one by one. 0xTan1319 got only recently kicked out (not enough gigs?… https://t.co/9udGpP3tkx pic.twitter.com/TTF6YnEUU0

— bbsz (@blackbigswan) June 26, 2025

The hacker cluster is also connected to previously discovered accounts, posing as Polish or US nationals. Again, the main goal was to obtain remote software engineering jobs, including full-stack blockchain roles. Some of the attempts to get hired moved through the freelance hub Inspiration with Digital Living (IWDL), trying to trick legitimate projects into hiring possibly DPRK-affiliated IT workers. Part of the attempts also involve the creation of fake freelancer sites, which present the connected profiles. 

The Pump.fun token cycle reportedly involved multiple meme projects linked to DPRK hackers. Previously, threat actors have also deliberately launched a meme token to launder funds from a previous Web3 heist. The list of hacker handles and profiles is constantly growing, and not all are active. The potential heist is the reverse of the fake job offers, which attempt to install malware on user computers.