North Korean Hacker Gains High Level Access to Waves’ Keeper-Wallet Codebase: Report - Unchained

A North Korean developer-turned-hacker, linked to online contracting rings known for infiltrating software projects, gained high-level access to the Waves Protocol’s Keeper-Wallet codebase, according to security researchers at Ketman**.**

The attacker, using the GitHub account “AhegaoXXX,” was able to open branches, create releases, and publish updates to the node package manager (npm) registry, effectively gaining control over the project’s code.

The GitHub account of a former Waves engineer, Maxim Smolyakov, was used to approve changes and trigger new releases. Ketman noted that this account had been inactive since 2023, but suddenly approved a pull request from the attacker.

This story is an excerpt from the Unchained Daily newsletter.

Subscribe here to get these updates in your email for free

Redirect rules were set up to move code from the main Waves Protocol organization to the Keeper-Wallet project, suggesting someone with inside knowledge was involved.

“We didn’t do the regular notification because Waves Protocol itself seems to be malicious,” said pseudonymous Ketman researcher @bigblackswan on X.

“Just don’t use it, don’t integrate it, don’t run their code,” they added.