Munchables
A Web3 game on the Blast network drained of about $62.5M in March 2024 by one of its own developers — an insider whom investigators (ZachXBT) linked to North Korea. After negotiations, the developer returned all of the funds without a ransom.
Also known as: Munchables, Werewolves0493
Summary
Munchables was an NFT-based "GameFi" project on the Ethereum layer-2 network Blast. On March 26, 2024, an attacker drained about 17,400 ETH (~$62.5 million). Within hours, investigators determined the attack came from inside: a developer the project had hired had inserted a backdoor (pre-allocating a huge balance) and upgraded the contract to withdraw funds. [1][2]
Attribution and recovery
On-chain investigator ZachXBT linked the developer (GitHub alias "Werewolves0493," part of a cluster of linked accounts) to North Korea. After negotiations involving the Munchables and Blast teams, the developer returned all of the private keys and funds without demanding any ransom; the assets were moved to a multisig and users were made whole. The episode highlighted the risk of DPRK operatives being hired as crypto developers. [1][2]
Bracketed numbers refer to the numbered sources listed below.
Linked scams & cases
- Munchables insider exploit ($62.5M)RelatedProjectsMunchables, a game on the Blast network, lost about 17,414 ETH (~$62.5M) on Mar 26, 2024 through contract manipulation. ZachXBT linked the hired developer(s) to a single person assessed as likely North Korean; the funds were later returned.
- Vulcan ForgedRelatedProjectsA blockchain-gaming ecosystem on Polygon whose semi-custodial wallets were drained of about $140M on December 13, 2021. Attackers compromised Vulcan Forged's servers to obtain its wallet-provider (Venly) credentials and export 96 users' private keys; the team reimbursed users from its treasury.
People & entities involved
Sources (2)
See also
- Loci (LOCIcoin)TokensA 2017–2018 ICO for 'LOCIcoin' tied to the InnVenn IP-search platform. The SEC charged Loci and CEO John Wise with fraud for raising $7.6M on false claims about revenue, headcount, and user base; Wise also misused investor funds. Settled with a $7.6M penalty and an officer/director bar.
- Blockchain Terminal (BCT)TokensA 2017–2018 ICO (BCT tokens, ~$30M) for a 'Blockchain Terminal' — a Bloomberg-style crypto trading terminal. The SEC and DOJ said convicted ex-hedge-funder Boaz Manor secretly ran it under a fake identity ('Shaun MacDonald'), using associate Edith Pardo as a front, and lied about the product's adoption.
- Crowd Machine (CMCT)Tokens
This page was last updated on Jun 8, 2026. View revision history.