ZachXBT
@zachxbt1.bsky.social
Theft addresses:
0x40d76a78ddba2ea81fb0f9fba147a08bcfc2b866
bc1qx0a2kfjd7eweczv8xqjm6rggm40v0nkhfss78l
qpv9nh5ktagsmtkqle8z2w4dd3mksskpmy499z7c9k
ltc1qjyrn9p803efj3p8a0g3fmlevs45kq704ns363t
DRiEQuJ9pt3GgNraQmHVTjNg4B7uv1XuGb
h/t to Cyvers for helping investigate.
0x40d76a78ddba2ea81fb0f9fba147a08bcfc2b866
bc1qx0a2kfjd7eweczv8xqjm6rggm40v0nkhfss78l
qpv9nh5ktagsmtkqle8z2w4dd3mksskpmy499z7c9k
ltc1qjyrn9p803efj3p8a0g3fmlevs45kq704ns363t
DRiEQuJ9pt3GgNraQmHVTjNg4B7uv1XuGb
h/t to Cyvers for helping investigate.
October 2, 2025 at 4:44 PM
Theft addresses:
0x40d76a78ddba2ea81fb0f9fba147a08bcfc2b866
bc1qx0a2kfjd7eweczv8xqjm6rggm40v0nkhfss78l
qpv9nh5ktagsmtkqle8z2w4dd3mksskpmy499z7c9k
ltc1qjyrn9p803efj3p8a0g3fmlevs45kq704ns363t
DRiEQuJ9pt3GgNraQmHVTjNg4B7uv1XuGb
h/t to Cyvers for helping investigate.
0x40d76a78ddba2ea81fb0f9fba147a08bcfc2b866
bc1qx0a2kfjd7eweczv8xqjm6rggm40v0nkhfss78l
qpv9nh5ktagsmtkqle8z2w4dd3mksskpmy499z7c9k
ltc1qjyrn9p803efj3p8a0g3fmlevs45kq704ns363t
DRiEQuJ9pt3GgNraQmHVTjNg4B7uv1XuGb
h/t to Cyvers for helping investigate.
Interestingly several indicators share similiarities to other known DPRK attacks.
SBI Crypto is a mining pool that's a subsidiary of SBI Group, a publicly traded company in Japan.
As of now it does not appear they have publicly disclosed the incident.
SBI Crypto is a mining pool that's a subsidiary of SBI Group, a publicly traded company in Japan.
As of now it does not appear they have publicly disclosed the incident.
October 2, 2025 at 4:44 PM
Interestingly several indicators share similiarities to other known DPRK attacks.
SBI Crypto is a mining pool that's a subsidiary of SBI Group, a publicly traded company in Japan.
As of now it does not appear they have publicly disclosed the incident.
SBI Crypto is a mining pool that's a subsidiary of SBI Group, a publicly traded company in Japan.
As of now it does not appear they have publicly disclosed the incident.
Update: The OpenVPP team made a statement and says the reply was accidentally hidden by a 24/7 intern.
September 18, 2025 at 12:06 AM
Update: The OpenVPP team made a statement and says the reply was accidentally hidden by a 24/7 intern.
OpenVPP then hid her reply from the post.
I reviewed the accounts promoting OpenVPP and it’s the usual influencer suspects.
I reviewed the accounts promoting OpenVPP and it’s the usual influencer suspects.
September 18, 2025 at 12:06 AM
OpenVPP then hid her reply from the post.
I reviewed the accounts promoting OpenVPP and it’s the usual influencer suspects.
I reviewed the accounts promoting OpenVPP and it’s the usual influencer suspects.
Theft address
0x37cDB6B40861F350E23AA5733E75755fCBed739F
Currently majority of the stolen funds sit at 0x7abc09ab94d6015053f8f41b01614bb6d1cc7647
0x37cDB6B40861F350E23AA5733E75755fCBed739F
Currently majority of the stolen funds sit at 0x7abc09ab94d6015053f8f41b01614bb6d1cc7647
September 13, 2025 at 5:34 PM
Theft address
0x37cDB6B40861F350E23AA5733E75755fCBed739F
Currently majority of the stolen funds sit at 0x7abc09ab94d6015053f8f41b01614bb6d1cc7647
0x37cDB6B40861F350E23AA5733E75755fCBed739F
Currently majority of the stolen funds sit at 0x7abc09ab94d6015053f8f41b01614bb6d1cc7647
A few hours ago the funds were split four ways and transferred between intermediary addresses before being sent to multiple instant exchanges.
The team has since turned off replies on X (Twitter) for all posts.
Presale address
4Ea23VxEGAgfbtauQZz11aKNtzHJwb84ppsg3Cz14u6q
The team has since turned off replies on X (Twitter) for all posts.
Presale address
4Ea23VxEGAgfbtauQZz11aKNtzHJwb84ppsg3Cz14u6q
September 9, 2025 at 11:25 PM
A few hours ago the funds were split four ways and transferred between intermediary addresses before being sent to multiple instant exchanges.
The team has since turned off replies on X (Twitter) for all posts.
Presale address
4Ea23VxEGAgfbtauQZz11aKNtzHJwb84ppsg3Cz14u6q
The team has since turned off replies on X (Twitter) for all posts.
Presale address
4Ea23VxEGAgfbtauQZz11aKNtzHJwb84ppsg3Cz14u6q
Coincidentally this theft happened on the one year anniversary of the $243M Genesis Creditor theft.
Theft txn hash
da598f2a941ee3c249a3c11e5e171e186a08900012f6aad26e6d11b8e8816457
Theft address
bc1qyxyk4qgyrkx4rjwsuevug04wahdk6uf95mqlej
Theft txn hash
da598f2a941ee3c249a3c11e5e171e186a08900012f6aad26e6d11b8e8816457
Theft address
bc1qyxyk4qgyrkx4rjwsuevug04wahdk6uf95mqlej
August 23, 2025 at 7:43 PM
Coincidentally this theft happened on the one year anniversary of the $243M Genesis Creditor theft.
Theft txn hash
da598f2a941ee3c249a3c11e5e171e186a08900012f6aad26e6d11b8e8816457
Theft address
bc1qyxyk4qgyrkx4rjwsuevug04wahdk6uf95mqlej
Theft txn hash
da598f2a941ee3c249a3c11e5e171e186a08900012f6aad26e6d11b8e8816457
Theft address
bc1qyxyk4qgyrkx4rjwsuevug04wahdk6uf95mqlej
I have already covered multiple times on indicators of what to look out for so I will not repeat those again.
August 17, 2025 at 12:45 AM
I have already covered multiple times on indicators of what to look out for so I will not repeat those again.
ITWs are in no way sophisticated but are persistent since there’s so many flooding the job market globally for roles.
Payoneer is commonly being used to convert fiat into crypto from dev work.
Payoneer is commonly being used to convert fiat into crypto from dev work.
August 17, 2025 at 12:45 AM
ITWs are in no way sophisticated but are persistent since there’s so many flooding the job market globally for roles.
Payoneer is commonly being used to convert fiat into crypto from dev work.
Payoneer is commonly being used to convert fiat into crypto from dev work.
11/ The main challenge faced in fighting DPRK ITWs at companies include the lack of collaboration between services and the private sector.
There’s also the negligence by the teams hiring them who become combative when alerted.
There’s also the negligence by the teams hiring them who become combative when alerted.
August 17, 2025 at 12:45 AM
11/ The main challenge faced in fighting DPRK ITWs at companies include the lack of collaboration between services and the private sector.
There’s also the negligence by the teams hiring them who become combative when alerted.
There’s also the negligence by the teams hiring them who become combative when alerted.
10/ Still one of the more common questions is “how do you know they are North Korean?”
Well besides all of the fraudulent documents detailed above their search history showed frequent Google Translate usage with translations to Korean with a Russian IP.
Well besides all of the fraudulent documents detailed above their search history showed frequent Google Translate usage with translations to Korean with a Russian IP.
August 17, 2025 at 12:45 AM
10/ Still one of the more common questions is “how do you know they are North Korean?”
Well besides all of the fraudulent documents detailed above their search history showed frequent Google Translate usage with translations to Korean with a Russian IP.
Well besides all of the fraudulent documents detailed above their search history showed frequent Google Translate usage with translations to Korean with a Russian IP.
9/ Other interesting items from their searches and browser history included:
August 17, 2025 at 12:45 AM
9/ Other interesting items from their searches and browser history included: