A few weeks ago, we revealed how North Korean hackers leveraged campaigns related to Matt Furie, creator of Pepe the Frog. They escaped with nearly $1 million. The attack started on June 18th, 2025. It required relinquishing ownership of Furie’s Replicandy project to an externally owned address (EOA). This incident highlights the growing danger from North Korean hackers preying on the crypto industry.

According to many cybersecurity professionals, the exploit can be traced back to North Korean IT laborers. These people were probably brought on board as developers for Furie’s various initiatives. This uniquely positioned them to secure insider access and conduct the aforementioned cyber attack. The attack makes clear the growing sophistication of these hackers, utilizing social engineering and insider access to wreak havoc.

The Timeline of the Exploit

The exploit as detailed started on June 18 2025 with the illegal transfer of ownership of the Replicandy project. After this first infringement, subsequent projects related to Matt Furie, such as Peplicator, Hedz, and Zogz, were similarly infringed upon. Favrr, one of the featured projects that has been impacted, experienced a loss of over $680,000 just on June 25th. This development greatly compounded the financial cost of the attack.

In particular, Alex Hong, a developer linked to Favrr, has recently been singled out as a possible North Korean IT worker. This natural suspicion makes the investigation much more challenging. It means that North Korean operatives might have been industriously scrambling to throw cavets into the development teams working on these projects.

"The Favrr CTO appears suspicious and is likely one of the two DPRK ITWs hired." - ZachXBT

North Korea's Cyber Warfare Tactics

North Korean hackers have in recent years gained infamy as a cyber warfare juggernaut, particularly in the realm of cryptocurrency. In just 2024 so far, they’ve stolen over $1.3 billion over 47 incidents. These cybercriminals have gotten sophisticated too, using new tools including Python-based malware like PylangGhost to steal crypto credentials.

PylangGhost, attributed to Lazarus-linked Famous Chollima group, was employed in multiple attacks against crypto professionals. North Korean hackers orchestrated a brilliant operation by pretending to be Coinbase recruiters. They duped people into sharing their crypto credentials through phony job interviews. Just like with their efforts to surveil crypto professionals in India through PylangGhost, their global reach is ambitious.

The U.S. Department of Justice has been increasingly aggressive in cyber enforcement. Relatedly, they’ve filed a civil forfeiture complaint to seize $7.7 million in cryptocurrency that North Korean IT operatives allegedly earned through cybercrimes. These operatives often pose as online contractors to earn crypto. Then they take that crypto and use it to pay for North Korea’s weapons program.

Sim Hyon Sop's Involvement

Our ongoing investigation into Matt Furie’s creative works has found potential ties to Sim Hyon Sop. Sim had been previously, and sometimes unconstitutionally, indicted in 2023, which is deeply concerning. Sim Hyon Sop has ties to North Korea’s Foreign Trade Bank. This link further implies the country’s complicity in these cybercrimes. His close relationship to the exploit suggests a much more organized attack. North Korean actors are continuously finding new ways to target and exploit cryptocurrency projects for illicit profit.

The participation of people such as Sim Hyon Sop highlights the complex, systemic nature to North Korea’s cyber warfare. These operations are not cumbersome one-offs. They are an important piece of a more holistic playbook that the regime employs to produce and extract money through nefarious means. The use of sophisticated techniques and the targeting of specific individuals and projects highlight the level of planning and coordination involved.

ZachXBT uncovered some very interesting findings. A deposit address at MEXC had received many stablecoin transfers over the course of several months, indicating that the same IT worker network is being used across multiple crypto projects. This discovery suggests that the exploit of Matt Furie's projects may be just one part of a larger campaign targeting the cryptocurrency industry.