
Blast ecosystem project loses $60 million to hack, as North Korean hackers master social engineering
TechFlow Selected TechFlow Selected

Blast ecosystem project loses $60 million to hack, as North Korean hackers master social engineering
In addition to going undercover within teams, hackers also pose as clients or employers to approach developers.
By Joyce
Team Infiltrated by Hacker: Blast Ecosystem Project Loses $60 Million
This morning, Munchables, a gaming project within the Blast ecosystem, announced it had been attacked. According to PeckShield monitoring, there was an issue with Munchables’ lock contract, resulting in 17,400 ETH (approximately $62.3 million) being stolen.

Chain analyst ZachXBT’s investigation revealed that the attacker originated from within the Munchables development team—a North Korean hacker. Yu Xian, founder of SlowMist, commented on social media: “This is at least the second case SlowMist has encountered involving this kind of incident targeting DeFi projects. Core developers infiltrate and remain hidden for long periods, gaining full trust of the project team before ruthlessly striking when the time is right. There may be many more victims.”

North Korean Hackers’ Common Tactic: Exploiting Trust Within Developer Teams
North Korean hackers are among the most notorious actors in the crypto space. A report by cybersecurity firm Recorded Future shows that the infamous Lazarus Group has stolen $3 billion worth of cryptocurrency over the past six years alone, including $1.7 billion in 2022.
Unlike technically-focused hackers who exploit protocol vulnerabilities, North Korean hackers often target the development teams behind protocols—abusing trust and waiting for the perfect moment to strike, as seen in the recent Munchables breach.
In 2021, Google's security team discovered that Lazarus members frequently lurk on social platforms such as Twitter, LinkedIn, and Telegram, using fake identities to pose as active industry vulnerability researchers. They build credibility to later launch 0-day attacks against other security professionals.
Researchers at security firm Mandiant Inc. reported discovering in 2022 that a job applicant suspected to be a North Korean hacker submitted a resume nearly identical to legitimate candidates. These hackers have become adept at copying job postings from LinkedIn and Indeed to apply for positions at U.S.-based cryptocurrency firms.
Beyond posing as developers, North Korean hackers also disguise themselves as clients or employers to approach development teams.
In 2022, Axie Infinity’s sidechain Ronin suffered a $600 million theft—the largest single heist in crypto history. Initially, Ronin traced the breach to compromised validator nodes. Further investigations, however, revealed that the North Korean Lazarus Group had created a fake company and posed as an employer, contacting a senior engineer at Sky Mavis, Axie Infinity’s developer, via LinkedIn with a high-paying job offer.
Enticed by the lucrative salary, the senior engineer expressed interest in the opportunity and went through multiple rounds of interviews. During one interview, he received a PDF file detailing the job.
However, the document was malicious software that opened access to the Ronin system. When the employee downloaded and opened the file on his work computer, it triggered an infection chain, allowing hackers to infiltrate the Ronin network and gain control over four token validators and one Axie DAO validator.
This type of attack is known as an APT (Advanced Persistent Threat). SlowMist’s MistTrack previously summarized this method: attackers first create fake identities, pass real verification processes to appear as legitimate customers, then make genuine deposits. Under this cover, they interact with multiple official personnel, delivering customized Mac or Windows malware specifically targeting those individuals. Once inside, they move laterally across internal networks, remain dormant for extended periods, and eventually steal funds.
Returning to the current incident, after Munchables announced the breach, DeFi protocols within the Blast ecosystem connected to Munchables stated they were assessing potential losses. Fortunately, the hacker only stole ETH; users’ deposited WETH remained unaffected. Another Blast ecosystem protocol also announced it would airdrop points to those impacted by the Munchables attack.
CoderDan, founder of Aavegotchi, later posted on social media: “Aavegotchi’s development team, Pixelcraft Studios, briefly hired the individual behind the Munchables attack in 2022 for some game development work. His technical skills were poor, and he really did seem like a North Korean hacker. We fired him within a month. He even tried to get us to hire one of his friends, who was likely another hacker.”
CoderDan also provided Munchables with the wallet address commonly used by the hacker during his time at Pixelcraft Studios, hoping these clues could help recover the stolen funds.
In the dark forest of the crypto world, hidden dangers are ever-present. Both users and projects must remain vigilant and take robust security precautions.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News












