Matt Furie and Favrr hacked: losses over $1M & DPRK connection linked to Replicandy and Hedz attacks – ZachXBT investigation reveals complex scheme. On-chain analysis shows the attacker gained control over key contracts via pre-transferred ownership rights. The attacker also coordinated actions through a chain of addresses linked to previously identified wallets and developers using GitHub pseudonyms, VPNs, and inconsistencies in time zones and language settings.
Attack on Replicandy and ChainSaw NFT Projects – Contract Takeover and Market Crash
Let’s start from the beginning – the incident on June 18, 2025, when the smart contract of the Replicandy NFT project, developed by Matt Furie in partnership with ChainSaw, was transferred to a new EOA address 0x9Fca. On the same day at 18:20 UTC, the contract’s minting proceeds were withdrawn, and already the next day, June 19 at 5:11, the same address unpaused the contract, initiating a second token issuance. The attacker exploited this as follows: they minted new NFTs and immediately dumped them into the liquidity pool, causing a sharp collapse in the floor price.
On June 23, a similar scenario was repeated: the same address 0x9Fca gained control over the contracts of the Replicator, Hedz, and Zogz projects. In all cases, ownership was transferred from ChainSaw’s technical deployer to the attacker. Then, the same actions were followed: minting, aggressive sell-off, and market liquidation. According to ZachXBT, the total damage across these four collections amounted to about $310,000. The main transactions passed through three addresses, one of which – 0x91bd – became a key node for consolidation and routing funds to centralized platforms.
Favrr and $FAVRR – Listing Exploit and $680K Withdrawn via MEXC and Gate
The largest incident was still ahead, specifically, the exploit session of the Favrr project, focused on a Web3 marketplace and the $FAVRR token. On June 25, at the moment of the token’s DEX listing, abnormal activity was detected, accompanied by a loss of contract control and the withdrawal of a significant amount of funds. According to ZachXBT, over $680,000. Token flow analysis showed that the funds were transferred to address 0x477, associated with the so-called “ITW consolidation” – a structure through which payments to potential DPRK IT specialists are routed.
Transaction tracing also revealed a second payroll address, which sent funds to a Gate exchange deposit address (0xab7). This formed the basis for the conclusion that at least two IT specialists involved in the attack were embedded in the Favrr team. One of them is believed to have operated under the pseudonym Alex Hong – the project’s CTO, whose LinkedIn profile was deleted shortly after the incident. According to ZachXBT, the workplaces he claimed could not be verified during due diligence, further reinforcing suspicions of his affiliation with the North Korean cluster.
On-Chain Links and the DPRK ITW Cluster: GitHub Accounts, VPN, Time Zones
This was a far-reaching investigation, and it also highlighted other aspects of the scheme. In particular, GitHub profiles devmad119 and sujitb2114 were identified, containing wallet addresses in public repositories that participated in the attacks. According to ZachXBT, these accounts were used to secure front-end and smart contract work through Web3 communities and likely belonged to DPRK IT specialists.
Internal logs and behavioral analysis confirm additional anomalies: system language set to Korean, active use of Astral VPN, and a mismatch between the stated location in the US and a time zone set to Asia/Seoul or Russia Standard Time.
Several addresses related to fund withdrawal led to a consolidation and cash-out scheme via centralized exchanges. For example, 2.05 ETH was sent to Exchange 1 (likely MEXC) on June 18, followed by a related receipt of 5,007 USDT at another address linked to the exchange. One of the key routes, 0xf87, made it possible to uncover additional payment flows ranging from $2K to $10K per month, indicating a persistent compensation system used to finance the ITW group across several projects.
Another strong investigation by ZachXBT, who once again played a vital role. Their earlier work on the Bybit exploit also revealed a vulnerability in a third-party provider and the likely involvement of North Korean hackers. Without the degree of investigative transparency provided by ZachXBT, it is unclear whether balances and even platform liquidity could have been restored so quickly.
Conclusion
With more money flowing into Web3, it becomes an increasingly attractive target for attackers. We are also seeing rising activity from North Korean hackers and a systemic approach to infiltrating projects by posing as developers.
All of this requires extreme vigilance from Web3 builders when designing security architectures, and calls users to exercise maximum caution. Stay tuned for the latest updates in crypto, blockchain, and DeFi.
