- Solareum shut down after a hack in March.
- Prosecutors say it was likely due to a recent hire.
- The US government has seized almost $1 million in stablecoins.
The messages trickled in.
“Hello,” wrote one user in March. “All of my sol and token hacked.”
“Hello my wallet is drained as well,” wrote another.
“Hey, got drained, how to get refund,” texted another.
Soon, more and more panicked users funnelled into the support channel for Solareum, a bot that automatically traded users’ Solana to eke out profits for crypto traders.
One claimed to have lost $30,000 in crypto. Another lost over $200,000.
The Solareum team was at a loss. “There [sic] maybe a chance we got exploited,” they posted on X.
North Korean IT workers
Less than a year later, the US Department of Justice put the maybes to rest.
It appears the Solareum team had unwittingly hired a North Korean developer. The dev helped steal 6,045 Solana from the trading bot’s users, worth about $1.4 million, said prosecutors in a January 21 court filing.
The case offers a rare glimpse into how North Korean IT workers are worming their way into crypto companies, ripping off their users, and shutting them down.
The Treasury Department has publicly warned that North Korean developers are hiding their identities to trick technology — and crypto — companies into hiring them even as international sanctions isolate the Asian pariah nation.
So has the United Nations Security Council, which said that more than 4,000 North Koreans have been told to infiltrate tech companies and pull off cyberheists.
The scheme earns the Democratic Peoples Republic of Korea, or the DPRK, about $600 million annually, the UN estimated.
Amid the flood of North Korean developers on the job market, crypto companies are increasingly on the alert to weed out the dubious devs, DL News reported last year.
‘US Company 1′
While prosecutors identified Solareum as “US Company 1,” the circumstances they lay out to take about $1 million in USDT, Tether’s stablecoin, all point to the Solana trading bot.
The federal government said the exploit of the “DeFi application for trading the Solana virtual currency via a trading bot” happened on March 29.
This was the same day users flooded social media and Solareum’s support channel to say their crypto was gone.
Prosecutors say the company is no longer in business. Solareum announced that it was shutting down shortly after the hack.
‘They started locking down their accounts and community channels.’
— Taylor Monahan, MetaMask
And Taylor Monahan, lead security researcher at crypto wallet MetaMask, told DL News that she believes the affected company was Solareum.
She and a number of other crypto security experts leapt into action in late March to help freeze the stolen funds when users reported that their wallets were drained of crypto.
DL News tried to reach the Solareum team, but two Telegram accounts associated with the project no longer exist. One account hasn’t responded, and Solareum’s website is offline.
“They were uncooperative, and even started locking down their accounts and community channels,” Monahan said, in reference to Solareum.
A new ‘dev’
In December, the Solareum team said in the app’s support channel that it was “onboarding a new dev.”
Monahan said she and other security experts weren’t able to identify who the developer was.
“Usually we ID the workers by their resume or payroll address that they give the team, but it requires the team’s cooperation,” she said.
After users reported that their wallets had been drained in March, the proceeds were laundered through crypto exchanges, including HTX, Binance, MEXC, EasyBit and FixedFloat, according to prosecutors.
The thieves then converted stolen Solana into USDT.
When Monahan was brought in to investigate the hack, she quickly thought it could be the work of a developer from North Korea.
“Onchain flows and indicators had major overlaps with prior thefts involving DPRK IT workers,” she said.
After she and other members of the crypto security community had compiled enough information, they were able to convince Tether to freeze the stolen funds on March 30.
Two months later, the FBI seized about $950,000 in USDT.
Profound regret
A spokesperson for the DOJ did not immediately respond to a request for comment asking whether the federal government plans to disburse the money back to the victims.
Solareum hasn’t posted anything on its social media accounts since March.
“It is with a profound sense of regret that we announce the closure of the Solareum project,” wrote the team one day after the hack.
“We want to express our heartfelt gratitude to each member of the Solareum community for your unwavering support and dedication.”
Ben Weiss is a Dubai-based reporter for DL News. Got a tip? Email him at bweiss@dlnews.com.
