The latest research shows that multiple meme token projects could be compromised by links with North Korean hackers. Multiple profiles have been intercepted by ZACHXBT and other investigators and are associated with known exploits.
Meme tokens may not be safe from DPRK hackers as several projects have recently been compromised, leading to losses of up to $1 million. For now, the effect appears to be limited, and only affects relatively new tokens. However, evidence shows that DPRK hackers are active in the meme space and are active in potentially Ethereum and Solana projects.
Some of the attacked projects were linked to cartoonist Matt Free, who created the iconic Pepe image. ZachxBT tracked a set of attacks that affect the NFT collection. Chain/Saw and FAVVR were also one of the exploited projects.
1/Multiple projects tied to Matt Hooly & Chainsaw, creator of Pepe, and another project FAVRR, were stolen last week, resulting in a million dollar theft
My analysis links both attacks to the same cluster of DPRK IT workers who are likely to have been mistakenly hired as developers. pic.twitter.com/85jrm5klqo
– Zachxbt (@zachxbt) June 27, 2025
In a series of attacks, new NFTs were cast in several projects, bringing floor prices to zero. Zachxbt has tracked some of the wallets used in the profiles and repositories of blockchain developers suspected of ties to the North Korean regime.
One of the identified hackers was hired by the FAVVR project, which ultimately lost more than $680,000. Alex Hong, CTO of FAVVR Project, was also suspected. He left social media in May and deleted related LinkedIn accounts. Previously, DPRK hackers were involved Web 3.0 Projectwhich mainly leads to the violation of smart contracts.
DPRK Hackers exist as Solana Team
Creating tokens in Pump.Fun is generally democratic. However, DPRK hackers also provide code to automate token creation or trading.
Recent investigators have discovered a series of social media accounts and GitHub profiles, claiming they are linked to North Korean hackers. Some profiles are already provided code For multiple chains including Ethereum, BNB Smart Chain, Base, Arbitrum, etc. It is also one of the identified hacker accounts Share Solana Copy Trading Tool. The account is also busy advertising its services and promotes direct employment from the profile Dispersing Other software development agencies.
Some hackers have founded teams with old social media accounts. The ultimate goal is to be hired as a blockchain developer, potentially violating meme tokens and other projects.
@browserCookies can’t have all the fun.
The gang met the DPRK-Made Dev Shop team who loves Solana, uses mature accounts, works on Twitter and is able to acquire at least one facilitator in Canada. We go one by one. 0xtan1319 was recently kicked out (Is there not enough gigs?… https://t.co/9udgpp3tkx pic.twitter.com/ttf6yneuu0
– BBSZ (@blackbigswan) June 26, 2025
Hacker clusters are also connected to previously discovered accounts, pretending to be Polish or American citizens. Again, the main goal was to obtain a remote software engineering job that includes a full stack blockchain role. Several recruiting attempts have moved through the inspiration of a freelance hub with Digital Living (IWDL) and are trying to trick legitimate projects into hiring DPRK-related IT workers. Some of the attempts include creating fake freelancer sites that present connected profiles.
The Pump.Fun token cycle reportedly included multiple meme projects linked to DPRK hackers. Previously, threat actors also intentionally launched meme tokens laundry Funds from a previous Web3 robbery. Hacker handles and profile lists are constantly growing, and everything is not active. A potential robbery is the opposite of a fake job offer that attempts to install malware on a user computer.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
