1/ An investigation into how Greavys (Malone Iam), Wiz (Veer Chetal), and Box (Jeandiel Serrano) stole $243M from a single person last month in a highly sophisticated social engineering attack and my efforts which have helped lead to multiple arrests and millions frozen.

Update: Sandy Nguyen changed his X username after my post from ‘bullishgopher’ to ‘dddxxxssseaeff’. X user ID: 1532495241038778387

@MEXC_Official @Gate_io Update: Ildar Ilham aka @XBT_Prometheus (founder of @WhiteRock_Fi) was arrested by UAE law enforcement for his involvement in the $30M Zkasino exit scam. He will be extradited to the Netherlands next for the criminal case.

9/ I believe that when a team hires multiple DPRK ITWs it is a decent indicator for determining that startup will be a failure. Unlike other threats to the industry DPRK ITWs have little sophistication so it’s mainly the result of a team’s own negligence. I think the

8/ Another misconception is crypto projects have the most DPRK ITWs when in reality the issue is just as bad if not worse at traditional tech companies. The downside of fiat is you cannot trace funds back to the company to alert them whereas when ITWs are paid with crypto it.

7/ A few key trends I have observed: . A common misconception is that US exchanges have more rigorous KYC/AML requirements than offshore competitors. DPRK ITWs have an increasing number of accounts tied to US exchanges like Coinbase or Robinhood . MEXC remains a popular choice.

6/ I am closely monitoring five other larger clusters of DPRK ITWs but will not share those addresses publicly since they are active. One thing to note is the number does not include exploits conducted by them on projects (LND, ChainSaw, Favrr, Munchables, Dream, etc). They

5/ USDC was sent directly from Circle accounts to three addresses in this cluster. It’s 1 hop from an address blacklisted by Tether in April 2023 tied to Hyon Sop Sim. Other DPRK ITW clusters currently have decent sized quantities of USDC sitting. I think it’s misleading

4/ Other indicators from this cluster after speaking with teams displayed immediate red flags. >ITW refused to meet up irl with team member but claimed to live in same city.>Three ITWs referred each another for role at the same project.>Russian IPs for ITW supposedly from.

3/ Sandy Nguyen (@bullishgopher) a DPRK ITW from this cluster was spotted via OSINT next to the North Korea flag at an event in Russia. A small group of people still believe North Korean devs are just a conspiracy despite all of the IOCs, research, etc widely available.

2/ Here’s a look into one of the six clusters I have been monitoring and was able to attribute 8 different DPRK ITWs that obtained roles at 12+ projects. I traced out the payment addresses from the table to two consolidation addresses.

1/ My recent investigation uncovered more than $16.58M in payments since January 1, 2025 or $2.76M per month has been sent to North Korean IT workers hired as developers at various projects & companies. To put this in perspective payments range from $3K-8K per month meaning

12/ Soon I plan to publish my stats on total payments being sent out to DPRK ITWs at companies/projects to provide insight into how bad it is. It’s depressing how many teams hire DPRK IT workers when basic due diligence would likely have prevented it. The lack of communication

11/ The Favrr CTO Alex Hong has a background which appears suspicious and is likely one of the two DPRK ITWs hired. His LinkedIn was very recently deleted. I also reached out to a project he supposedly worked at but could not verify his work history.

10/ DPRK ITW consolidation 0x477 received payroll from the project Favrr which was exploited for $680K+ on June 25, 2025. I suspect they have a second ITW on payroll as well because the exploiter address is tied to a Gate deposit address 0xab7 which ITW 2 sent payroll to. Favrr

9/ Tracing back from the MEXC deposit 0xf87f lead to another different DPRK ITW consolidation: .0x477d13ee1e1304292d270bfac1aa496902e6851f

8/ Other indicators revealed from internal logs point out irregularities in a suspected DPRK IT workers resume. Why would a developer who claims to be living in the US have a Korean language setting, Astral VPN usage, and have an Asia/Russia time zone?.

7/ Two GitHub accounts used by suspected DPRK ITWs in this cluster can be seen below and listed wallets on their account. DPRK ITW 1: devmad119.0x93d5785d759563b5b8eb98eaff9196dddf7179f3. DPRK ITW 2: sujitb2114.0x6c88dd91de053fca915baece6868f6c32d20adea

6/ Tracing back from the MEXC deposit address 0xf87 revealed many other stablecoin deposits received each month ranging from $2K-10K for various projects. As those teams were helpful with providing info and the DPRK ITWs were removed so I will not name the project.

5/ The attacker transferred 2.05 ETH to exchange 1 on Jun 18 at 7:47 pm UTC. By performing a timing analysis I could locate the destination transaction where 5007.91 USDT was received and transferred to MEXC. 0xf87fbc5e8fff065b413d3d48932b6fb5585d93d5

4/ In total I estimate $310K+ from their projects was stolen and transferred primarily between the three address below. 0xf6a9349c54d51f7f76bbd2afd755b5dd75e617ee.0x7e580f916a8e93871b72a694407fb7d790de96a6.0x58f4299465b261e79713e5c78a7629cd656aed36