Projects tied to Pepe meme creator Matt Furie and the NFT studio ChainSaw lost roughly $1 million to contract takeover exploits last week, according to on-chain investigator ZachXBT.
On June 27, ZachXBT reported transaction records showing that the attacker seized control of the “Replicandy” contract at 4:25 a.m. UTC on June 18 by transferring ownership to the externally owned address 0x9Fca.
Two hours later, the new owner withdrew mint proceeds and, at 5:11 a.m. the next day, reopened the mint, issued fresh NFTs, and dumped them into open bids, pushing the floor price to zero.
On June 23, the same address took over three additional ChainSaw contracts: Peplicator, Hedz, and Zogz. The bad actor then repeated the mint-and-dump cycle.
ZachXBT estimated the combined theft at more than $310,000 and linked the funds to three collector addresses: 0xf6a9, 0x7e58, and 0x58f4. He traced a 2.05 ETH payment from 0x9Fca to an exchange deposit that converted to 5,007.91 USDT and was then moved to MEXC.
He subsequently mapped many smaller monthly deposits from unrelated projects into the same exchange wallet.
Two GitHub accounts, “devmad119” and “sujitb2114,” list wallets that intersect the stolen fund trail.
Both accounts share indicators that ZachXBT associated with North Korean IT workers, including Korean language system settings, Astral VPN sessions, and Asia-Russia time zones, despite résumés that claim US residency.
Favrr exploit follows the same payroll path
A second incident surfaced on June 25, when the freelance services token project Favrr lost more than $680,000 following its listing on a DEX. On-chain analysis linked the exploit to the consolidation wallet 0x477, which received recurring payments from Favrr payroll addresses 0x1708 and 0x6412.
Gate.io deposit address 0xab7 received part of the stolen Favrr tokens, and was previously funded by the suspected developer behind “sujitb2114”.
Favrr announced that it would refund all initial decentralized offering participants, cancel its MEXC listing, and initiate a thorough audit of its codebase. The project added that it will publish a new launch timeline “in the coming weeks” and advised users to avoid trading impostor tokens in the interim.
ZachXBT reported that Favrr’s chief technology officer, listed as Alex Hong, deleted his LinkedIn profile after the exploit. Attempts to verify his work history with previous employers were unsuccessful.
The investigator plans to release aggregate data on payroll flows to wallets tied to the same North Korean cluster, contending that basic due diligence checks would have flagged the hires.
The stolen funds from the ChainSaw collections remain idle, while most Favrr proceeds have already passed through Gate.io and several nested services.
ZachXBT said he has not reached the teams because their direct message channels are closed, and official Telegram or Discord rooms do not provide contact options.
The incidents bring renewed attention to the risks of “shadow hiring” in crypto projects that outsource development through gig-work platforms.
Investigators continue to follow the on-chain trails, and affected communities await formal statements from Furie, ChainSaw, and Favrr.
Mentioned in this article
Read the full article here
