North Korean hackers compromised Web3 gaming incubator Seedify’s cross-chain bridge, draining $1.2 million throughout BNB Chain networks.
The assault exploited a developer’s non-public key to mint unauthorized SFUND tokens by way of an audited bridge contract that ought to have prevented such minting.
Blockchain sleuth ZachXbt linked the theft addresses to previous North Korean “Contagious Interview” incidents by way of on-chain evaluation
North Korean state-affiliated hacker teams have claimed one other sufferer within the DeFi sector, exploiting Web3 gaming incubator Seedify Fund’s token bridge infrastructure to steal $1.2 million whereas devastating the platform’s native token SFUND throughout a number of exchanges.
The assault on Tuesday focused Seedify’s cross-chain bridge on BNB Chain, permitting hackers to mint unauthorized tokens and systematically drain liquidity swimming pools throughout Ethereum, Arbitrum, and Base networks earlier than changing proceeds on BNB Chain, the platform stated in its official assertion.
At present at roughly 12:05 UTC, a DPRK state-affiliated group identified for a lot of hacks in Web3 gained entry to one in all our developer’s non-public keys. Utilizing these, they had been in a position to mint a considerable amount of SFUND tokens by way of a bridge contract that had beforehand handed audit.
“The Seedify theft addresses are tied onchain to previous Contagious Interview incidents (DPRK),” blockchain sleuth ZachXBT tweeted following the breach, linking the the assault to an ongoing marketing campaign that has claimed over 230 victims between January and March alone, per a current SentinelLABS intelligence report.
The SFUND token has plunged almost 35% within the final 24 hours, now buying and selling at $0.28, based on CoinGecko knowledge. It was buying and selling at $0.42 earlier than the hack was reported.
“DPRK/Lazarus determined to take every thing we constructed over 4.5 years in a single hack,” Seedify founder Meta Alchemist tweeted in response to the breach.
“The Seedify hack stemmed from a compromised developer key that permit DPRK-linked actors mint unauthorized $SFUND tokens through a bridge contract,” Hakan Unal, Senior Safety Operations Middle Lead at Cyvers, informed Decrypt.
“This contract mustn’t have been in a position to mint these tokens with none token being bridged,” Seedify defined in its official assertion, revealing the elemental vulnerability that allowed unauthorized token creation.
“The hacker wallets join on-chain to prior DPRK operations, highlighting how aggressive their ongoing rampage throughout Web3 has grow to be,” Unal defined, recommending platforms monitor on-chain exercise and implement multi-signature approvals.
The crypto business mobilized shortly in response, with Binance founder Changpeng Zhao (CZ) saying safety specialists helped freeze $200,000 at HTX change, and “the remaining appear to stay on-chain.”
Talked to some safety guys within the business. I consider they had been in a position to assist monitor it and froze $200k at HTX, the remaining appear to stay on-chain. Appears like North Korea DPRK.
Main CEXs most likely have these addresses on blacklists now. Good luck!
‘Contagious Interview’ marketing campaign menace actors function in “coordinated groups with real-time collaboration, doubtless utilizing Slack and a number of intelligence sources comparable to Validin, VirusTotal, and Maltrail” to observe their infrastructure publicity, SentinelLABS stated.
The report additionally discovered that regardless of DPRK hackers “totally analyzing menace intelligence and figuring out artifacts that can be utilized to find their infrastructure,” they “didn’t implement systematic, large-scale adjustments to make it tougher to detect,” as an alternative shortly deploying new infrastructure when disrupted.
“The aggressive pressures stemming from North Korea’s annual income quotas” drive operatives to guard particular person belongings and ‘outperform colleagues’ slightly than coordinate safety enhancements,” the cybersecurity agency stated.
A current Cisco Talos intelligence report confirmed that North Korean teams are persevering with to refine their assaults with new malware like “PylangGhost,” concentrating on crypto professionals by way of pretend Coinbase and Uniswap job postings.
With identified DPRK-related losses in 2024 totaling $1.3 billion, the ByBit hack’s $1.5 billion alone has already made 2025 “by far their most profitable 12 months to this point,” based on Chainalysis’ 2025 Crypto Crime Mid-year Replace.
Each day Debrief Publication
Begin on daily basis with the highest information tales proper now, plus unique options, a podcast, movies and extra.
