{"id":90655,"date":"2025-11-04T21:35:18","date_gmt":"2025-11-04T18:35:18","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=90655"},"modified":"2025-11-04T21:40:24","modified_gmt":"2025-11-04T18:40:24","slug":"researcher-uncovers-undisclosed-44-million-hack-of-dwf-labs","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/researcher-uncovers-undisclosed-44-million-hack-of-dwf-labs\/","title":{"rendered":"Researcher Uncovers Undisclosed $44 Million Hack of DWF Labs"},"content":{"rendered":"<p>In September 2022, market maker DWF Labs likely suffered a hack amounting to over $44 million. The company did not publicly disclose the attack, noted on-chain researcher known as tanuki42.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">1\/8 It&#8217;s likely that the market maker <a href=\"https:\/\/twitter.com\/DWFLabs?ref_src=twsrc%5Etfw\">@DWFLabs<\/a> was compromised in September 2022 by a DPRK-affiliated threat actor called AppleJeus, resulting in a theft of at least $44M+ composed predominantly of USDC and USDT.<\/p>\n<p>As of November 2025, DWF has not publicly confirmed any incident. <a href=\"https:\/\/t.co\/HGXGUoJaqc\">pic.twitter.com\/HGXGUoJaqc<\/a><\/p>\n<p>\u2014 tanuki42 (@tanuki42_) <a href=\"https:\/\/twitter.com\/tanuki42_\/status\/1985720747923304520?ref_src=twsrc%5Etfw\">November 4, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The attack began on September 22 with the draining of one of the project&#8217;s addresses. Subsequently, cryptocurrencies started flowing into the same wallet from centralized exchanges, indicating a compromise of private keys and account credentials.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/img-e32f54363f8f65f7-8672859901047930.webp\" alt=\"image\" class=\"wp-image-268961\"\/><figcaption class=\"wp-element-caption\">Source: X.\u00a0<\/figcaption><\/figure>\n<p>Although the attack lasted more than five hours, no successful attempts were made by DWF Labs to halt the withdrawal of funds, added tanuki42.<\/p>\n<p>The following day, September 23, the hackers carried out another alleged &#8220;draining.&#8221;<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/img-0b6b2cd5bffffeb9-8672861701079438.webp\" alt=\"image\" class=\"wp-image-268962\"\/><figcaption class=\"wp-element-caption\">Source: X.\u00a0<\/figcaption><\/figure>\n<p>The stolen assets were quickly converted into Bitcoin via the Ren Protocol bridge. Afterward, the coins remained dormant for a long time, but they have recently started moving into the crypto mixer Mixero.<\/p>\n<p>According to the researcher, the attack and laundering strategy may suggest the involvement of the North Korean group AppleJeus. Hackers used similar services to move assets after breaches of Deribit, Tower Capital, and Radiant.<\/p>\n<p>The compromised wallet was linked to DWF Labs by the analyst because it interacted with the address of Yield Guild Games, which collaborates with the market maker.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"368\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/img-53fad7a5deef6129-8672864950522631-1024x368.png\" alt=\"image\" class=\"wp-image-268963\" srcset=\"https:\/\/u1f987.com\/wp-content\/uploads\/img-53fad7a5deef6129-8672864950522631-1024x368.png 1024w, https:\/\/u1f987.com\/wp-content\/uploads\/img-53fad7a5deef6129-8672864950522631-300x108.png 300w, https:\/\/u1f987.com\/wp-content\/uploads\/img-53fad7a5deef6129-8672864950522631-768x276.png 768w, https:\/\/u1f987.com\/wp-content\/uploads\/img-53fad7a5deef6129-8672864950522631.png 1199w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Source: X.\u00a0<\/figcaption><\/figure>\n<p>The alleged DWF Labs wallet also transferred funds to the treasury address of MagnifyCash (formerly NFTY Finance). On the same day, the market maker announced a strategic partnership with the project on social media.<\/p>\n<p>Assets linked to the attack, amounting to about $30 million, remain unmoved, noted tanuki42. He sought assistance in the investigation from on-chain sleuth ZachXBT and cybersecurity firm TRM Labs.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p lang=\"en\" dir=\"ltr\">DWF hiding a $44M hack? <\/p>\n<p>Cannot say I\u2019m surprised. <a href=\"https:\/\/t.co\/AAWgdJeH8Q\">pic.twitter.com\/AAWgdJeH8Q<\/a><\/p>\n<p>\u2014 ZachXBT (@zachxbt) <a href=\"https:\/\/twitter.com\/zachxbt\/status\/1985722802767556644?ref_src=twsrc%5Etfw\">November 4, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cDWF Labs hiding a $44M hack? Cannot say I\u2019m surprised,\u201d commented ZachXBT.<\/p>\n<\/blockquote>\n<p>Earlier on November 4, the DeFi protocol Stream Finance <a href=\"https:\/\/u1f987.com\/en\/news\/stream-finance-halts-operations-following-93-million-loss\">suspended<\/a> operations following a $93 million hack. Experts <a href=\"https:\/\/u1f987.com\/en\/news\/collateral-damage-from-stream-finance-hack-estimated-at-285-million\">estimated<\/a> the associated damage at $285 million.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In September 2022, market maker DWF Labs likely suffered a hack amounting to over $44 million. The company did not publicly disclose the attack, noted on-chain researcher known as tanuki42.<\/p>\n","protected":false},"author":1,"featured_media":90656,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"The 2022 incident is allegedly linked to a DPRK group.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44],"class_list":["post-90655","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime"],"aioseo_notices":[],"amp_enabled":true,"views":"238","promo_type":"1","layout_type":"1","short_excerpt":"The 2022 incident is allegedly linked to a DPRK group.","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/90655","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=90655"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/90655\/revisions"}],"predecessor-version":[{"id":90657,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/90655\/revisions\/90657"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/90656"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=90655"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=90655"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=90655"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}