Tasks tied to Pepe meme creator Matt Furie and the NFT studio ChainSaw misplaced roughly $1 million to contract takeover exploits final week, based on on-chain investigator ZachXBT.
On June 27, ZachXBT reported transaction data displaying that the attacker seized management of the “Replicandy” contract at 4:25 a.m. UTC on June 18 by transferring possession to the externally owned tackle 0x9Fca.
Two hours later, the brand new proprietor withdrew mint proceeds and, at 5:11 a.m. the following day, reopened the mint, issued recent NFTs, and dumped them into open bids, pushing the ground value to zero.
On June 23, the identical tackle took over three extra ChainSaw contracts: Peplicator, Hedz, and Zogz. The unhealthy actor then repeated the mint-and-dump cycle.
ZachXBT estimated the mixed theft at greater than $310,000 and linked the funds to a few collector addresses: 0xf6a9, 0x7e58, and 0x58f4. He traced a 2.05 ETH fee from 0x9Fca to an alternate deposit that transformed to five,007.91 USDT and was then moved to MEXC.
He subsequently mapped many smaller month-to-month deposits from unrelated initiatives into the identical alternate pockets.
Two GitHub accounts, “devmad119” and “sujitb2114,” listing wallets that intersect the stolen fund path.
Each accounts share indicators that ZachXBT related to North Korean IT staff, together with Korean language system settings, Astral VPN periods, and Asia-Russia time zones, regardless of résumés that declare US residency.
Favrr exploit follows the identical payroll path
A second incident surfaced on June 25, when the freelance providers token undertaking Favrr misplaced greater than $680,000 following its itemizing on a DEX. On-chain evaluation linked the exploit to the consolidation pockets 0x477, which acquired recurring funds from Favrr payroll addresses 0x1708 and 0x6412.
Gate.io deposit tackle 0xab7 acquired a part of the stolen Favrr tokens, and was beforehand funded by the suspected developer behind “sujitb2114”.
Favrr introduced that it could refund all preliminary decentralized providing individuals, cancel its MEXC itemizing, and provoke an intensive audit of its codebase. The undertaking added that it’ll publish a brand new launch timeline “within the coming weeks” and suggested customers to keep away from buying and selling impostor tokens within the interim.
ZachXBT reported that Favrr’s chief expertise officer, listed as Alex Hong, deleted his LinkedIn profile after the exploit. Makes an attempt to confirm his work historical past with earlier employers have been unsuccessful.
The investigator plans to launch combination knowledge on payroll flows to wallets tied to the identical North Korean cluster, contending that primary due diligence checks would have flagged the hires.
The stolen funds from the ChainSaw collections stay idle, whereas most Favrr proceeds have already handed via Gate.io and several other nested providers.
ZachXBT mentioned he has not reached the groups as a result of their direct message channels are closed, and official Telegram or Discord rooms don’t present contact choices.
The incidents carry renewed consideration to the dangers of “shadow hiring” in crypto initiatives that outsource improvement via gig-work platforms.
Investigators proceed to observe the on-chain trails, and affected communities await formal statements from Furie, ChainSaw, and Favrr.
Talked about on this article
