Tasks tied to Pepe meme creator Matt Furie and the NFT studio ChainSaw misplaced roughly $1 million to contract takeover exploits final week, in accordance with on-chain investigator ZachXBT.
On June 27, ZachXBT reported transaction information exhibiting that the attacker seized management of the “Replicandy” contract at 4:25 a.m. UTC on June 18 by transferring possession to the externally owned tackle 0x9Fca.
Two hours later, the brand new proprietor withdrew mint proceeds and, at 5:11 a.m. the following day, reopened the mint, issued contemporary NFTs, and dumped them into open bids, pushing the ground worth to zero.
On June 23, the identical tackle took over three extra ChainSaw contracts: Peplicator, Hedz, and Zogz. The unhealthy actor then repeated the mint-and-dump cycle.
ZachXBT estimated the mixed theft at greater than $310,000 and linked the funds to a few collector addresses: 0xf6a9, 0x7e58, and 0x58f4. He traced a 2.05 ETH cost from 0x9Fca to an trade deposit that transformed to five,007.91 USDT and was then moved to MEXC.
He subsequently mapped many smaller month-to-month deposits from unrelated initiatives into the identical trade pockets.
Two GitHub accounts, “devmad119” and “sujitb2114,” listing wallets that intersect the stolen fund path.
Each accounts share indicators that ZachXBT related to North Korean IT employees, together with Korean language system settings, Astral VPN classes, and Asia-Russia time zones, regardless of résumés that declare US residency.
Favrr exploit follows the identical payroll path
A second incident surfaced on June 25, when the freelance providers token venture Favrr misplaced greater than $680,000 following its itemizing on a DEX. On-chain evaluation linked the exploit to the consolidation pockets 0x477, which acquired recurring funds from Favrr payroll addresses 0x1708 and 0x6412.
Gate.io deposit tackle 0xab7 acquired a part of the stolen Favrr tokens, and was beforehand funded by the suspected developer behind “sujitb2114”.
Favrr introduced that it might refund all preliminary decentralized providing contributors, cancel its MEXC itemizing, and provoke an intensive audit of its codebase. The venture added that it’ll publish a brand new launch timeline “within the coming weeks” and suggested customers to keep away from buying and selling impostor tokens within the interim.
ZachXBT reported that Favrr’s chief expertise officer, listed as Alex Hong, deleted his LinkedIn profile after the exploit. Makes an attempt to confirm his work historical past with earlier employers had been unsuccessful.
The investigator plans to launch mixture knowledge on payroll flows to wallets tied to the identical North Korean cluster, contending that fundamental due diligence checks would have flagged the hires.
The stolen funds from the ChainSaw collections stay idle, whereas most Favrr proceeds have already handed by Gate.io and a number of other nested providers.
ZachXBT mentioned he has not reached the groups as a result of their direct message channels are closed, and official Telegram or Discord rooms don’t present contact choices.
The incidents deliver renewed consideration to the dangers of “shadow hiring” in crypto initiatives that outsource improvement by gig-work platforms.
Investigators proceed to observe the on-chain trails, and affected communities await formal statements from Furie, ChainSaw, and Favrr.
