NFT collections connected to Pepe meme creator Matt Furie and studio ChainSaw suffered significant losses last week when attackers seized control of smart contracts and drained approximately $1 million in funds. On-chain investigator ZachXBT documented how an attacker gained ownership of the “Replicandy” contract on June 18, subsequently withdrawing mint proceeds and manipulating the collection’s floor price to zero through strategic dumping. The same malicious actor later compromised three additional ChainSaw contracts—Peplicator, Hedz, and Zogz—repeating the destructive mint-and-dump strategy across multiple collections.
Investigation revealed that the stolen funds, totaling over $310,000 from ChainSaw alone, were traced to specific wallet addresses with connections to suspected North Korean IT workers. ZachXBT identified two GitHub accounts, “devmad119” and “sujitb2114,” showing Korean language settings, Astral VPN usage, and Asia-Russia time zones despite claiming US residency. The analysis uncovered a pattern of monthly deposits from various unrelated projects flowing into the same exchange wallets, suggesting a coordinated operation targeting multiple crypto ventures.
A separate but related incident struck the Favrr token project on June 25, resulting in losses exceeding $680,000 shortly after its decentralized exchange listing. The exploit was linked to wallet addresses that had received regular payments from Favrr’s payroll system, indicating potential insider involvement. Following the attack, Favrr’s chief technology officer Alex Hong deleted his LinkedIn profile, and verification attempts with his previous employers proved unsuccessful. The company announced plans to refund all initial offering participants and cancel its MEXC exchange listing while conducting a comprehensive security audit.
These incidents highlight the growing risks of “shadow hiring” practices in cryptocurrency projects that outsource development through freelance platforms without proper vetting procedures. While the stolen ChainSaw funds remain untouched in their current wallets, most Favrr proceeds have already been laundered through Gate.io and multiple nested services. ZachXBT plans to release comprehensive data on payroll flows connected to the suspected North Korean cluster, emphasizing that basic due diligence could have prevented these costly breaches.
