NFT projects lost roughly $1 million in crypto over the past week when hackers posed as IT staff and struck at the heart of minting systems. The breach hit fan-token marketplace Favrr and Web3 initiatives Replicandy and ChainSaw, among others.
According to onchain investigator and cybersecurity analyst ZackXBT, the attackers pushed out mass batches of NFTs, drove floor prices to zero, then cashed in their haul before teams could react.
NFT: Hackers Slip Into Web3 Teams
Based on reports, the group quietly joined development squads under false identities. They gained insider access to minting contracts. Then they minted thousands of tokens and NFTs in moments.
The sudden flood crushed floor prices and let the thieves grab hot cash in minutes. It all unfolded in under a week, and about $1 million vanished from these projects’ treasuries.
1/ Multiple projects tied to Pepe creator Matt Furie & ChainSaw as well as another project Favrr were exploited in the past week which resulted in ~$1M stolen
My analysis links both attacks to the same cluster of DPRK IT workers who were likely accidentally hired as developers. pic.twitter.com/85JRm5kLQO
— ZachXBT (@zachxbt) June 27, 2025
Mass Minting Drops Prices
Favrr suffered one of the biggest hits. The thieves dumped tokens so fast the market couldn’t catch up. Replicandy and ChainSaw saw similar moves. At Replicandy, floor values hit zero almost instantly.
ChainSaw’s stolen crypto still sits inactive in wallets, waiting for launderers to stir it back into exchanges. ZackXBT pointed out that nested services then further obscured the money trail.
4/ In total I estimate $310K+ from their projects was stolen and transferred primarily between the three address below.
0xf6a9349c54d51f7f76bbd2afd755b5dd75e617ee
0x7e580f916a8e93871b72a694407fb7d790de96a6
0x58f4299465b261e79713e5c78a7629cd656aed36 pic.twitter.com/8noeV48MUY— ZachXBT (@zachxbt) June 27, 2025
Funds Trace And Freeze Challenges
Onchain transfers moved funds through multiple exchanges and wallets. Analysts say tracing mixed outputs can take weeks. Exchanges must review huge logs.
That slows or even blocks law enforcement from locking down accounts. In the Coinbase data leak back in May 2025, about 69,461 customers had personal info exposed.
Contractors were bribed to hand over user data, leading to an extortion bid against the exchange.
Lessons From Broader Cyber Attacks
The NFT/Web3 insider episode echoes Ruby Sleet’s tactics. In November 2024, that group targeted aerospace and defense firms, then shifted to IT companies via fake hiring drives.
They used social engineering to plant malware and harvest credentials. Today’s blockchain and NFT hacks show that open and irreversible ledgers magnify mistakes. When insiders gain privileges, there’s often no undo button.
Security experts warn teams to rethink trust models. Zero‑trust approaches limit each engineer’s reach. Multi‑party approval gates could block sudden minting spikes.
Real‑time activity monitors can flag odd behavior right away. And code reviews paired with identity checks for every new hire help close gaps before they’re abused.
Featured image from Vecteezy, chart from TradingView
