Initiatives tied to Pepe meme creator Matt Furie and the NFT studio ChainSaw misplaced roughly $1 million to contract takeover exploits final week, based on on-chain investigator ZachXBT.
On June 27, ZachXBT reported transaction information exhibiting that the attacker seized management of the “Replicandy” contract at 4:25 a.m. UTC on June 18 by transferring possession to the externally owned deal with 0x9Fca.
Two hours later, the brand new proprietor withdrew mint proceeds and, at 5:11 a.m. the following day, reopened the mint, issued contemporary NFTs, and dumped them into open bids, pushing the ground value to zero.
On June 23, the identical deal with took over three further ChainSaw contracts: Peplicator, Hedz, and Zogz. The dangerous actor then repeated the mint-and-dump cycle.
ZachXBT estimated the mixed theft at greater than $310,000 and linked the funds to 3 collector addresses: 0xf6a9, 0x7e58, and 0x58f4. He traced a 2.05 ETH cost from 0x9Fca to an trade deposit that transformed to five,007.91 USDT and was then moved to MEXC.
He subsequently mapped many smaller month-to-month deposits from unrelated initiatives into the identical trade pockets.
Two GitHub accounts, “devmad119” and “sujitb2114,” listing wallets that intersect the stolen fund path.
Each accounts share indicators that ZachXBT related to North Korean IT staff, together with Korean language system settings, Astral VPN periods, and Asia-Russia time zones, regardless of résumés that declare US residency.
Favrr exploit follows the identical payroll path
A second incident surfaced on June 25, when the freelance companies token mission Favrr misplaced greater than $680,000 following its itemizing on a DEX. On-chain evaluation linked the exploit to the consolidation pockets 0x477, which obtained recurring funds from Favrr payroll addresses 0x1708 and 0x6412.
Gate.io deposit deal with 0xab7 obtained a part of the stolen Favrr tokens, and was beforehand funded by the suspected developer behind “sujitb2114”.
Favrr introduced that it might refund all preliminary decentralized providing contributors, cancel its MEXC itemizing, and provoke a radical audit of its codebase. The mission added that it’s going to publish a brand new launch timeline “within the coming weeks” and suggested customers to keep away from buying and selling impostor tokens within the interim.
ZachXBT reported that Favrr’s chief know-how officer, listed as Alex Hong, deleted his LinkedIn profile after the exploit. Makes an attempt to confirm his work historical past with earlier employers have been unsuccessful.
The investigator plans to launch combination information on payroll flows to wallets tied to the identical North Korean cluster, contending that fundamental due diligence checks would have flagged the hires.
The stolen funds from the ChainSaw collections stay idle, whereas most Favrr proceeds have already handed by Gate.io and a number of other nested companies.
ZachXBT mentioned he has not reached the groups as a result of their direct message channels are closed, and official Telegram or Discord rooms don’t present contact choices.
The incidents deliver renewed consideration to the dangers of “shadow hiring” in crypto initiatives that outsource growth by gig-work platforms.
Investigators proceed to observe the on-chain trails, and affected communities await formal statements from Furie, ChainSaw, and Favrr.