Trendaavat aiheet
#
Bonk Eco continues to show strength amid $USELESS rally
#
Pump.fun to raise $1B token sale, traders speculating on airdrop
#
Boop.Fun leading the way with a new launchpad on Solana.
1/ Multiple projects tied to Pepe creator Matt Furie & ChainSaw as well as another project Favrr were exploited in the past week which resulted in ~$1M stolen
My analysis links both attacks to the same cluster of DPRK IT workers who were likely accidentally hired as developers.


2/ On Jun 18, 2025 at 4:25 am UTC ownership for ‘Replicandy’ from Matt Furie & ChainSaw was transferred to a new EOA 0x9Fca.
Jun 18, 2025
6:20 pm UTC: 0x9Fca withdrew mint proceeds from the contract
Jun 19, 2025
5:11 am UTC: 0x9Fca unpauses the mint
The attacker then minted NFTs and sold into bids causing the floor price to fall to zero.



3/ On Jun 23, 2025 the attacker transferred ownership from the ChainSaw deployer to 0x9Fca for Peplicator, Hedz, Zogz.
Similarly the attacker minted NFTs and sold them into bids causing the floor price to fall to zero.
0x9Fca3AC75cd66f3c62bea8231886513b9fe191BD

4/ In total I estimate $310K+ from their projects was stolen and transferred primarily between the three address below.
0xf6a9349c54d51f7f76bbd2afd755b5dd75e617ee
0x7e580f916a8e93871b72a694407fb7d790de96a6
0x58f4299465b261e79713e5c78a7629cd656aed36

5/ The attacker transferred 2.05 ETH to exchange 1 on Jun 18 at 7:47 pm UTC.
By performing a timing analysis I could locate the destination transaction where 5007.91 USDT was received and transferred to MEXC.
0xf87fbc5e8fff065b413d3d48932b6fb5585d93d5

6/ Tracing back from the MEXC deposit address 0xf87 revealed many other stablecoin deposits received each month ranging from $2K-10K for various projects.
As those teams were helpful with providing info and the DPRK ITWs were removed so I will not name the project.

7/ Two GitHub accounts used by suspected DPRK ITWs in this cluster can be seen below and listed wallets on their account.
DPRK ITW 1: devmad119
0x93d5785d759563b5b8eb98eaff9196dddf7179f3
DPRK ITW 2: sujitb2114
0x6c88dd91de053fca915baece6868f6c32d20adea


8/ Other indicators revealed from internal logs point out irregularities in a suspected DPRK IT workers resume.
Why would a developer who claims to be living in the US have a Korean language setting, Astral VPN usage, and have an Asia/Russia time zone?
9/ Tracing back from the MEXC deposit 0xf87f lead to another different DPRK ITW consolidation:
0x477d13ee1e1304292d270bfac1aa496902e6851f

10/ DPRK ITW consolidation 0x477 received payroll from the project Favrr which was exploited for $680K+ on June 25, 2025
I suspect they have a second ITW on payroll as well because the exploiter address is tied to a Gate deposit address 0xab7 which ITW 2 sent payroll to.
Favrr ITW 1
0x17087f92d16049e9097413b4964663b754c1e43d
Favrr ITW 2
0x641279133f6f560c3f512b8e2d286ae2c53c31ee


26.6.2025
The Favrr team and its investors have taken cognisance of a technical issue during $FAVRR’s DEX listing on Wednesday, June 25.
While investigations are ongoing, we want to outline the immediate next steps for the Favrr community:
1. All participants in the @CoinTerminalCom IDO will be refunded in full.
2. Today’s $FAVRR listing on @MEXC_official has been cancelled.
We’ll provide updates on the relaunch timeline in the coming weeks.
In the meantime:
• Please avoid trading $FAVRR and be cautious of any tokens impersonating it.
• Only rely on official announcements posted on X.
Thank you for your continued support and understanding.
12/ Soon I plan to publish my stats on total payments being sent out to DPRK ITWs at companies/projects to provide insight into how bad it is.
It’s depressing how many teams hire DPRK IT workers when basic due diligence would likely have prevented it.
The lack of communication from Matt Furie & ChainSaw since the incident occurred has been disappointing with their only warning to the community deleted without explanation.
The stolen funds from the ChainSaw incident mostly remain dormant.
The stolen funds for Favrr were transferred to Gate and a few nested services.
I have been unable to get in touch with the teams due to DMs disabled and no way to easily contact them on Telegram or Discord.

905,23K
Johtavat
Rankkaus
Suosikit