Cyberattacks on Web3 projects: hackers stole about $1 million in cryptocurrency, posing as IT specialists

Cyberattacks on Web3 projects: hackers stole about million in cryptocurrency, posing as IT specialists

The cryptocurrency and Web3 sector has recently faced a new wave of cyber attacks. According to renowned cybersecurity researcher ZachXBT, over the past week, a group of hackers posing as IT employees managed to steal around $1 million in cryptocurrency by hacking several Web3 projects. This incident once again raises questions about the security and vulnerability of decentralized platforms and digital assets.

Details of the incident

Affected projects

According to ZachXBT, the victims included:

Favrr – Web3 fan token marketplace;
Replicandy is an NFT project;
ChainSaw – NFT project;
as well as several other teams, whose names the analyst preferred not to disclose.

These projects are platforms that work with non-fungible tokens (NFTs) and fan tokens, which are actively used in the Web3 ecosystem to interact with the audience and monetize digital assets.

Attack mechanism

The hackers used a complex scheme using the NFT minting mechanism:

A large number of new NFT tokens were created.
They sold them en masse, artificially reducing the minimum price to zero.
They made profits by manipulating the token market.

Cyberattacks on Web3 projects: hackers stole about a million in cryptocurrency, posing as IT specialists

This tactic allowed the attackers not only to steal funds, but also to influence the pricing of assets, which caused additional damage to the projects and their users.

Tracking stolen funds

After successful attacks, the hackers moved the stolen crypto assets through a chain of wallets and crypto exchanges to hide their origin and make it more difficult to track.

The funds stolen from the ChainSaw project remain mostly dormant, which may indicate preparations for further operations or waiting for a favorable moment to withdraw.
The cryptocurrency stolen from Favrr was transferred to investment services, likely for laundering or reinvestment.

General security problem in the crypto industry

Attacks on Web3 projects are just part of a larger trend of internal security threats in the IT and crypto spheres. Attackers are increasingly using social engineering and insider methods to penetrate companies.

Examples of other major incidents

The hacker group “Ruby Sleet” (linked to North Korea) infiltrated US aerospace and defense contractors in November 2024 and also began targeting IT companies by creating fake recruitment programs and using social engineering.
In May 2025, crypto exchange Coinbase reported a data breach and extortion attempt in which attackers bribed customer service contractors to steal the personal information of 69,461 users.
Brazil’s central bank has been the victim of a massive cyberattack that resulted in the theft of around $140 million (reported 07/05/2025).

Conclusions and recommendations

These incidents highlight the need for increased security measures in the crypto industry and the IT sector as a whole:

Implementation of multi-level authentication and access control.
Regular audit of project code and infrastructure.
Train employees and contractors in phishing and social engineering awareness.
Monitoring and analysis of suspicious transactions in real time.
Implementation of transparent procedures for recruitment and verification of personnel.

Only a comprehensive approach to security will reduce risks and protect users and projects from financial losses and reputational damage.

If you are interested in learning more about how to protect yourself and respond to Web3 cyber attacks, I am happy to provide detailed recommendations and practical advice.

What methods did hackers use to steal cryptocurrency from Web3 projects?

Hackers stealing cryptocurrency from Web3 projects use several key methods that allow them to bypass protection and extract significant amounts of funds. The main ones are:

NFT minting mechanism manipulation and artificial price collapse : Attackers create large quantities of NFT tokens, sell them en masse, reducing the minimum price to zero, and profit from market manipulation, as seen in recent attacks on Favrr, Replicandy, and ChainSaw[source data].
Social engineering and insider attacks : Hackers pose as IT employees, create fake recruitment programs, bribe contractors and developers to gain access to private keys and internal systems. For example, in the case of crypto exchange Coinbase, attackers bribed support contractors to steal customer data 5 8 .
Compromise of private keys and multi-signatures : Through malware and sophisticated injections, hackers gain control of key participants’ devices, sign malicious transactions in the background, bypassing the visible security interface. This is how Radiant Capital was attacked, with losses in the tens of millions of dollars 5 .
Malicious development kits and libraries : Injecting backdoors into popular SDKs and libraries (e.g. web3-wrapper-ethers or solana/web3.js) to steal private keys and control transactions. Attacks often start with phishing emails aimed at developers to steal credentials and two-factor authentication 3 6 .
Exploitation of access control vulnerabilities in smart contracts : Missing or improperly configured restrictions on the execution of critical functions allows attackers to create tokens or transfer funds without permission, resulting in significant financial losses 5 .
Transaction manipulation and network attacks : using race attacks, Sybil attacks (flooding the network with controlled nodes to block or intercept transactions), and simulating transactions to bypass wallet protection 2 4 .

Thus, the main methods of cryptocurrency theft from Web3 projects include a combination of technical vulnerabilities in smart contracts and infrastructure, as well as the human factor – social engineering and compromise of trusted persons. Comprehensive security enhancements are necessary for protection, including code auditing, staff training, multi-factor authentication and monitoring of suspicious activities.

How Attackers Used NFT Minting to Make Profits

The attackers used the NFT minting mechanism in the following way: they created a large number of new NFT tokens and sold them en masse, while artificially reducing the minimum prices to zero. This scheme allowed them to manipulate the token market, reducing their value while simultaneously making a profit by selling a large volume of tokens 1 .

Essentially, hackers created a slew of NFTs that technically had value, but were artificially priced to make them virtually worthless to buyers. This allowed attackers to quickly sell the tokens and steal funds, while simultaneously undermining trust in the projects and their economies.

After successfully minting and selling NFTs, the hackers moved the stolen funds through crypto exchanges and wallet chains to hide the traces of the crime and make it more difficult to track the assets. For example, the cryptocurrency stolen from the Favrr project was moved to investment services for further use 1 .

Thus, the attackers exploited a vulnerability in the mechanism of issuing and selling NFTs, combining the technical capabilities of minting with market manipulation to make a profit and steal cryptocurrency from Web3 projects.

Why Favrr’s Stolen Funds Were Moved to Investment Services, While ChainSaw Remained Inactive

Stolen funds from the Favrr project were transferred to investment services, likely for the purpose of laundering and reinvesting the cryptocurrency. Such a transfer allows the attackers to hide the origin of the funds, make them more difficult to track, and potentially increase their capital by participating in investment products or decentralized financial (DeFi) services.

At the same time, the funds stolen from ChainSaw remain mostly inactive , which may indicate several strategies by the hackers:

Waiting for a favorable moment to withdraw or for further operations, such as reducing attention to the attack;
Storing assets in cold wallets to maintain security and minimize the risk of detection;
Preparing for larger-scale money laundering schemes or asset sales in the future.

Thus, the differences in the behavior of the stolen funds reflect different tactics of the attackers: active use and movement for disguise and growth in the case of Favrr, and conservative storage to minimize risks in the case of ChainSaw [source data].

What Internal Security Threats Are Companies Facing Around the World in 2025?

In 2025, companies around the world face a range of internal security threats that make it difficult to protect information systems and corporate data. The main ones include:

Social threats and the human factor : employees remain the most vulnerable link in the security system. Hackers use phishing, vishing (voice phishing), smishing (SMS attacks) and pretexting – fake emails, calls and messages to trick people into giving up passwords and accessing systems. Sometimes harm can be caused by malicious intent – theft of corporate information, introduction of viruses or damage to equipment 1 2 .
Insider threats : Unscrupulous employees or contractors may knowingly steal data, sell it to competitors, or use it for extortion. An example is the bribery of Coinbase support contractors to steal customer data[source].
Supply chain attacks : Compromising weaker contractors and suppliers is becoming more common. Vulnerabilities in third-party services and software allow attackers to penetrate large organizations by bypassing key layers of defense 2 5 .
Technical threats and malware : DDoS attacks, ransomware, spyware, and Trojans are common, aiming to disrupt a company and steal information. In 2025, ransomware attacks will remain among the most destructive, despite the rise of backup and response measures 2 .
Rise of AI-related threats : Attackers are using generative AI to create more convincing phishing messages, deepfake videos, and sophisticated malware, making attacks harder to detect and more effective 2 4 6 .
Identity and access management (IAM) is becoming critical as employee and contractor accounts are frequently targeted for attacks. Access management failures lead to data leaks and compromised systems 4 5 .
Vulnerabilities in public services and software : Companies do not always have time to promptly fix security holes, especially zero-day vulnerabilities, which allows attackers to penetrate networks and develop attacks 2 5 .

Thus, insider security threats in 2025 are a combination of human factors, technical vulnerabilities, and sophisticated social engineering techniques, enhanced by new technologies such as artificial intelligence. To counter these challenges, organizations need to take a comprehensive approach to staff training, access management, vendor auditing, and technical protection of infrastructure.

How the Ruby Sleet Group Is Connected to the North Korean Government and Its Attacks on IT Companies

The Ruby Sleet group has ties to the North Korean government, presumably the Ministry of State Security. This tie is supported by the fact that Ruby Sleet is considered one of the North Korean hacker groups that operates on behalf of the state and carries out cyber espionage and cyber attacks 1 .

In 2024–2025, Ruby Sleet was seen targeting IT companies and contractors in various countries, including the United States. The hackers used social engineering techniques, including creating fake recruitment programs, to infiltrate companies. They sent malware disguised as test tasks for Python and JavaScript developers, allowing them to install Trojans and gain access to internal systems 1 .

Ruby Sleet’s activities are aimed at stealing sensitive information, including data that could be used for blackmail or further attacks. These operations serve the North Korean government’s goals of evading international sanctions, gathering intelligence, and funding government programs, including nuclear and military ones 1 .

Thus, Ruby Sleet is an instrument of North Korean cyber policy, carrying out targeted attacks on IT companies using sophisticated social engineering and technical hacking methods, which confirms its close ties to the DPRK state intelligence services.

Managing Rutoken drivers using group policies ...

What is a blade server and what tasks is it used for?

Group Policies/Mapping Network Drives - ALT Linux Wiki

The activities of the Ruby Sleet group differ from other North Korean hacker groups in a number of ways, related to the goals, methods and areas of attacks:

Focus on IT companies and social engineering through recruitment programs : Unlike many North Korean groups that primarily target financial institutions, defense, and government targets, Ruby Sleet actively targets IT companies using fake recruitment programs. This allows them to infiltrate organizations through trust and human factors, which is a more sophisticated and targeted approach.
Using malware as developer quizzes : Ruby Sleet distributes malware through Python and JavaScript programming quizzes, which is different from the more traditional malware distribution methods used by other groups.
Targeted Compromise of Contractors and Supply Chains : The group focuses on infiltrating less secure IT contractors, allowing them to gain indirect access to large companies and government agencies.
State-oriented with an emphasis on cyber espionage and intelligence gathering to evade sanctions : While some North Korean groups focus on cryptocurrency theft and financial attacks (such as Lazarus Group), Ruby Sleet focuses more on intelligence operations and infiltrating IT infrastructure for long-term control.

Ruby Sleet thus stands out among North Korean hacker groups for its specialization in social engineering attacks in the IT sector, its use of sophisticated infiltration techniques through recruitment programs, and its focus on intelligence missions, making it unique in North Korean cyber operations.