Researcher Uncovers Undisclosed $44 Million Hack of DWF Labs

The 2022 incident is allegedly linked to a DPRK group.

In September 2022, market maker DWF Labs likely suffered a hack amounting to over $44 million. The company did not publicly disclose the attack, noted on-chain researcher known as tanuki42.

1/8 It’s likely that the market maker @DWFLabs was compromised in September 2022 by a DPRK-affiliated threat actor called AppleJeus, resulting in a theft of at least $44M+ composed predominantly of USDC and USDT.

As of November 2025, DWF has not publicly confirmed any incident. pic.twitter.com/HGXGUoJaqc

— tanuki42 (@tanuki42_) November 4, 2025

The attack began on September 22 with the draining of one of the project’s addresses. Subsequently, cryptocurrencies started flowing into the same wallet from centralized exchanges, indicating a compromise of private keys and account credentials.

Although the attack lasted more than five hours, no successful attempts were made by DWF Labs to halt the withdrawal of funds, added tanuki42.

The following day, September 23, the hackers carried out another alleged “draining.”

The stolen assets were quickly converted into Bitcoin via the Ren Protocol bridge. Afterward, the coins remained dormant for a long time, but they have recently started moving into the crypto mixer Mixero.

According to the researcher, the attack and laundering strategy may suggest the involvement of the North Korean group AppleJeus. Hackers used similar services to move assets after breaches of Deribit, Tower Capital, and Radiant.

The compromised wallet was linked to DWF Labs by the analyst because it interacted with the address of Yield Guild Games, which collaborates with the market maker.

The alleged DWF Labs wallet also transferred funds to the treasury address of MagnifyCash (formerly NFTY Finance). On the same day, the market maker announced a strategic partnership with the project on social media.

Assets linked to the attack, amounting to about $30 million, remain unmoved, noted tanuki42. He sought assistance in the investigation from on-chain sleuth ZachXBT and cybersecurity firm TRM Labs.

DWF hiding a $44M hack?

Cannot say I’m surprised. pic.twitter.com/AAWgdJeH8Q

— ZachXBT (@zachxbt) November 4, 2025

“DWF Labs hiding a $44M hack? Cannot say I’m surprised,” commented ZachXBT.

Earlier on November 4, the DeFi protocol Stream Finance suspended operations following a $93 million hack. Experts estimated the associated damage at $285 million.