North Korean Hackers Drain $1.2M From Seedify Bridge

North Korean state-affiliated hacker groups have claimed another victim in the DeFi sector, exploiting Web3 gaming incubator Seedify Fund’s token bridge infrastructure to steal $1.2 million while devastating the platform’s native token SFUND across multiple exchanges.

The attack on Tuesday targeted Seedify’s cross-chain bridge on BNB Chain, allowing hackers to mint unauthorized tokens and systematically drain liquidity pools across Ethereum, Arbitrum, and Base networks before converting proceeds on BNB Chain, the platform said in its official statement.

“The Seedify theft addresses are tied onchain to past Contagious Interview incidents (DPRK),” blockchain sleuth ZachXBT tweeted following the breach, linking the the attack to an ongoing campaign that has claimed over 230 victims between January and March alone, per a recent SentinelLABS intelligence report.

The SFUND token has plunged nearly 35% in the last 24 hours, now trading at $0.28, according to CoinGecko data. It was trading at $0.42 before the hack was reported.

“DPRK/Lazarus decided to take everything we built over 4.5 years in one hack,” Seedify founder Meta Alchemist tweeted in response to the breach.

“The Seedify hack stemmed from a compromised developer key that let DPRK-linked actors mint unauthorized $SFUND tokens via a bridge contract,” Hakan Unal, Senior Security Operations Center Lead at Cyvers, told Decrypt.

“This contract should not have been able to mint these tokens without any token being bridged,” Seedify explained in its official statement, revealing the fundamental vulnerability that allowed unauthorized token creation.

“The hacker wallets connect on-chain to prior DPRK operations, highlighting how aggressive their ongoing rampage across Web3 has become,” Unal explained, recommending platforms monitor on-chain activity and enforce multi-signature approvals.

The crypto industry mobilized quickly in response, with Binance founder Changpeng Zhao (CZ) saying security experts helped freeze $200,000 at HTX exchange, and “the rest seem to remain on-chain.”

‘Contagious Interview’ campaign threat actors operate in “coordinated teams with real-time collaboration, likely using Slack and multiple intelligence sources such as Validin, VirusTotal, and Maltrail” to monitor their infrastructure exposure, SentinelLABS said.

The report also found that despite DPRK hackers “thoroughly examining threat intelligence and identifying artifacts that can be used to discover their infrastructure,” they “did not implement systematic, large-scale changes to make it harder to detect,” instead quickly deploying new infrastructure when disrupted.

“The competitive pressures stemming from North Korea’s annual revenue quotas” drive operatives to protect individual assets and ‘outperform colleagues’ rather than coordinate security improvements,” the cybersecurity firm said.

A recent Cisco Talos intelligence report showed that North Korean groups are continuing to refine their attacks with new malware like “PylangGhost,” targeting crypto professionals through fake Coinbase and Uniswap job postings.

With known DPRK-related losses in 2024 totaling $1.3 billion, the ByBit hack’s $1.5 billion alone has already made 2025 “by far their most successful year to date,” according to Chainalysis’ 2025 Crypto Crime Mid-year Update.