Initiatives tied to Pepe meme creator Matt Furie and the NFT studio ChainSaw misplaced roughly $1 million to contract takeover exploits final week, in accordance with on-chain investigator ZachXBT.
On June 27, ZachXBT reported transaction information exhibiting that the attacker seized management of the “Replicandy” contract at 4:25 a.m. UTC on June 18 by transferring possession to the externally owned handle 0x9Fca.
Two hours later, the brand new proprietor withdrew mint proceeds and, at 5:11 a.m. the subsequent day, reopened the mint, issued contemporary NFTs, and dumped them into open bids, pushing the ground worth to zero.
On June 23, the identical handle took over three further ChainSaw contracts: Peplicator, Hedz, and Zogz. The unhealthy actor then repeated the mint-and-dump cycle.
ZachXBT estimated the mixed theft at greater than $310,000 and linked the funds to 3 collector addresses: 0xf6a9, 0x7e58, and 0x58f4. He traced a 2.05 ETH fee from 0x9Fca to an change deposit that transformed to five,007.91 USDT and was then moved to MEXC.
He subsequently mapped many smaller month-to-month deposits from unrelated initiatives into the identical change pockets.
Two GitHub accounts, “devmad119” and “sujitb2114,” checklist wallets that intersect the stolen fund path.
Each accounts share indicators that ZachXBT related to North Korean IT employees, together with Korean language system settings, Astral VPN periods, and Asia-Russia time zones, regardless of résumés that declare US residency.
Favrr exploit follows the identical payroll path
A second incident surfaced on June 25, when the freelance providers token undertaking Favrr misplaced greater than $680,000 following its itemizing on a DEX. On-chain evaluation linked the exploit to the consolidation pockets 0x477, which acquired recurring funds from Favrr payroll addresses 0x1708 and 0x6412.
Gate.io deposit handle 0xab7 acquired a part of the stolen Favrr tokens, and was beforehand funded by the suspected developer behind “sujitb2114”.
Favrr introduced that it could refund all preliminary decentralized providing contributors, cancel its MEXC itemizing, and provoke a radical audit of its codebase. The undertaking added that it’s going to publish a brand new launch timeline “within the coming weeks” and suggested customers to keep away from buying and selling impostor tokens within the interim.
ZachXBT reported that Favrr’s chief know-how officer, listed as Alex Hong, deleted his LinkedIn profile after the exploit. Makes an attempt to confirm his work historical past with earlier employers had been unsuccessful.
The investigator plans to launch combination knowledge on payroll flows to wallets tied to the identical North Korean cluster, contending that primary due diligence checks would have flagged the hires.
The stolen funds from the ChainSaw collections stay idle, whereas most Favrr proceeds have already handed by Gate.io and a number of other nested providers.
ZachXBT stated he has not reached the groups as a result of their direct message channels are closed, and official Telegram or Discord rooms don’t present contact choices.
The incidents convey renewed consideration to the dangers of “shadow hiring” in crypto initiatives that outsource growth by gig-work platforms.
Investigators proceed to observe the on-chain trails, and affected communities await formal statements from Furie, ChainSaw, and Favrr.
Talked about on this article
