North Korean Hackers Drain $1.2M From Seedify Bridge

In brief

• North Korean hackers compromised Web3 gaming incubator Seedify’s cross-chain bridge, draining $1.2 million across BNB Chain networks.
• The attack exploited a developer’s private key to mint unauthorized SFUND tokens through an audited bridge contract that should have prevented such minting.
• Blockchain sleuth ZachXbt linked the theft addresses to past North Korean “Contagious Interview” incidents through on-chain analysis

North Korean state-affiliated hacker groups have claimed another victim in the DeFi sector, exploiting Web3 gaming incubator Seedify Fund’s token bridge infrastructure to steal $1.2 million while devastating the platform’s native token SFUND across multiple exchanges.

The attack on Tuesday targeted Seedify’s cross-chain bridge on BNB Chain, allowing hackers to mint unauthorized tokens and systematically drain liquidity pools across Ethereum, Arbitrum, and Base networks before converting proceeds on BNB Chain, the platform said in its official statement.

Today at approximately 12:05 UTC, a DPRK state-affiliated group known for many hacks in Web3 gained access to one of our developer’s private keys. Using these, they were able to mint a large amount of SFUND tokens through a bridge contract that had previously passed audit.

The…

— Seedify (@SeedifyFund) September 23, 2025

“The Seedify theft addresses are tied onchain to past Contagious Interview incidents (DPRK),” blockchain sleuth ZachXBT tweeted following the breach, linking the the attack to an ongoing campaign that has claimed over 230 victims between January and March alone, per a recent SentinelLABS intelligence report.

The SFUND token has plunged nearly 35% in the last 24 hours, now trading at $0.28, according to CoinGecko data. It was trading at $0.42 before the hack was reported.

“DPRK/Lazarus decided to take everything we built over 4.5 years in one hack,” Seedify founder Meta Alchemist tweeted in response to the breach.

“The Seedify hack stemmed from a compromised developer key that let DPRK-linked actors mint unauthorized $SFUND tokens via a bridge contract,” Hakan Unal, Senior Security Operations Center Lead at Cyvers, told Decrypt.



“This contract should not have been able to mint these tokens without any token being bridged,” Seedify explained in its official statement, revealing the fundamental vulnerability that allowed unauthorized token creation.

“The hacker wallets connect on-chain to prior DPRK operations, highlighting how aggressive their ongoing rampage across Web3 has become,” Unal explained, recommending platforms monitor on-chain activity and enforce multi-signature approvals.

The crypto industry mobilized quickly in response, with Binance founder Changpeng Zhao (CZ) saying security experts helped freeze $200,000 at HTX exchange, and “the rest seem to remain on-chain.”

Talked to a few security guys in the industry. I believe they were able to help track it and froze $200k at HTX, the rest seem to remain on-chain. Looks like North Korea DPRK.

Major CEXs probably have these addresses on blacklists now. Good luck!

— CZ 🔶 BNB (@cz_binance) September 24, 2025

‘Contagious Interview’ campaign threat actors operate in “coordinated teams with real-time collaboration, likely using Slack and multiple intelligence sources such as Validin, VirusTotal, and Maltrail” to monitor their infrastructure exposure, SentinelLABS said.

The report also found that despite DPRK hackers “thoroughly examining threat intelligence and identifying artifacts that can be used to discover their infrastructure,” they “did not implement systematic, large-scale changes to make it harder to detect,” instead quickly deploying new infrastructure when disrupted.

“The competitive pressures stemming from North Korea’s annual revenue quotas” drive operatives to protect individual assets and ‘outperform colleagues’ rather than coordinate security improvements,” the cybersecurity firm said.

A recent Cisco Talos intelligence report showed that North Korean groups are continuing to refine their attacks with new malware like “PylangGhost,” targeting crypto professionals through fake Coinbase and Uniswap job postings.

With known DPRK-related losses in 2024 totaling $1.3 billion, the ByBit hack’s $1.5 billion alone has already made 2025 “by far their most successful year to date,” according to Chainalysis’ 2025 Crypto Crime Mid-year Update.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.

Source link