By Key Points
- Pepe NFT collections drained via inside job
- Hacker posed as IT staff to access mint contracts
- $680K stolen from Favrr after hiring a fake CTO
- ZachXBT links both hacks to North Korean operatives
A series of alarming NFT breaches have hit the crypto world, with over $1 million stolen after a North Korean hacker infiltrated two major projects—Chainsaw and Favrr. The breach began when Matt Furie’s NFT project, in collaboration with Chainsaw, unknowingly hired a hacker for an IT role.
The attacker gained internal access, transferring minting contracts and draining NFT collections under the Replicandy project. A few days later, the same group struck again—this time at Favrr, where the hacker had been hired as Chief Technology Officer (CTO).
The total losses from both incidents sit at an estimated $1 million, with over $310,000 taken from Replicandy and $680,000 from Favrr.
1/ Multiple projects tied to Pepe creator Matt Furie & ChainSaw as well as another project Favrr were exploited in the past week which resulted in ~$1M stolen
My analysis links both attacks to the same cluster of DPRK IT workers who were likely accidentally hired as developers. pic.twitter.com/85JRm5kLQO
— ZachXBT (@zachxbt) June 27, 2025
According to on-chain investigator ZachXBT, both hacks were linked to the same North Korean group. He revealed that fake resumes and interviews were used to infiltrate these firms, a method previously seen in other North Korean cybercrimes.
This latest incident highlights the urgent need for better vetting and stronger internal security in the crypto industry.
This isn’t the first time the crypto sector has been exposed to major security threats. Previously, similar warnings were raised during events like the Iran–Injectable protocol exploit, showing how geopolitical tension can bleed into the crypto world.
8/ Other indicators revealed from internal logs point out irregularities in a suspected DPRK IT workers resume.
Why would a developer who claims to be living in the US have a Korean language setting, Astral VPN usage, and have an Asia/Russia time zone?
— ZachXBT (@zachxbt) June 27, 2025
Weak Hiring Practices Lead to Devastating Breach
The story began with Chainsaw, an NFT firm collaborating with Pepe creator Matt Furie. Despite Furie’s fame in the meme world, especially as the artist behind the internet-famous frog Pepe, his involvement in NFTs was through Chainsaw—aimed at capitalizing on the booming NFT market.
That’s where the first failure happened. The company hired a fake candidate for a backend IT position. Once inside, the hacker quietly transferred the mint contract for the Replicandy NFT collection late at night.
He then minted excessive NFTs, flooding the supply and driving the floor price to zero. Just five days later, three more collections were hit similarly.
The Favrr team and its investors have taken cognisance of a technical issue during $FAVRR’s DEX listing on Wednesday, June 25.
While investigations are ongoing, we want to outline the immediate next steps for the Favrr community:
1. All participants in the @CoinTerminalCom IDO…
— Favrr (@favrr_market) June 26, 2025
But the breach didn’t stop there. The same attacker group moved on to Favrr, a platform that helps users launch their own NFT projects. Here, the hacker was not just an IT hire—they were hired as CTO.
This senior-level position gave them unrestricted access, allowing the group to pull off a second, even more damaging $680,000 exploit.
ZachXBT traced the transactions across wallets and observed laundering efforts tied to previously known North Korean crypto hacks.
Based on the evidence, he strongly believes this was the work of a North Korean hacking syndicate, possibly even tied to the infamous Lazarus Group.
This kind of event adds to growing concerns about the security risks in Web3 ecosystems, which are rapidly evolving. At the same time, projects like Gradient Network’s decentralized AI are trying to build tech that is resistant to centralized manipulation, including cybersecurity threats.
Alarming Silence from Matt Furie and Chainsaw
Despite the scale of the breach, Matt Furie and Chainsaw have remained silent. Chainsaw briefly issued a warning, only to later delete it. Furie, whose name and reputation were tied to the project, has made no public comment.
Even worse, both Chainsaw and Favrr disabled their direct messages on social platform X, making it nearly impossible for users and investigators to reach them. ZachXBT reported that all attempts to contact the affected parties were ignored.
10/ DPRK ITW consolidation 0x477 received payroll from the project Favrr which was exploited for $680K+ on June 25, 2025
I suspect they have a second ITW on payroll as well because the exploiter address is tied to a Gate deposit address 0xab7 which ITW 2 sent payroll to.
Favrr… https://t.co/mRRYNgj7kl pic.twitter.com/1KKDNwGsID
— ZachXBT (@zachxbt) June 27, 2025
This incident reflects a wider issue in the crypto space—a concerning lack of due diligence in hiring and operational security. Crypto firms often prioritize innovation and speed, but without basic safeguards, they remain easy targets for sophisticated attackers.
It’s also a strong reminder of how interconnected the ecosystem is. Whether it’s large holders impacting price movements like the largest Bitcoin holder’s mysterious moves or institutions pushing crypto accessibility—such as Chainlink and Mastercard unlocking DEX access—every player has a role in maintaining trust and security.
Even traditional finance is entering the game cautiously. Initiatives like the Invesco-Galaxy Solana ETF aim to legitimize and secure exposure to crypto, showing that regulatory-compliant models might be the safest way forward.
12/ Soon I plan to publish my stats on total payments being sent out to DPRK ITWs at companies/projects to provide insight into how bad it is.
It’s depressing how many teams hire DPRK IT workers when basic due diligence would likely have prevented it.
The lack of communication… pic.twitter.com/R35A9DzgPC
— ZachXBT (@zachxbt) June 27, 2025
ZachXBT has previously warned the community about rising activity from North Korean operatives, especially after the Lazarus Group orchestrated the largest crypto heist in history. These latest attacks suggest those warnings went largely unheeded.
What's your reaction?
