On-chain sleuths warn Waves Protocol have been exploited by North Korean hackers

On-chain investigators noticed suspicious activity in the GitHub repositories of Waves Protocol, an early crypto project dating back to 2018. The GitHub activity affected repositories for the Keeper Wallet, potentially compromising Waves ecosystem users.

Waves Protocol may be compromised by malicious code introduced in its old GitHub repositories. Investigators discovered activity in the Keeper Wallet repos after two years of no updates. The newly added code may be traced to a DPRK hacker, who seems to have gained complete credentials to the project’s GitHub. 

The discovery happens just at the time when Waves is trying to revive the project and kick off Waves Summer 2025. The newly introduced code may put new users at risk. 

1/ ☀️ Waves Summer 2025 — Turning the Tide 🏄🏻‍♂️

The next 90 days will reshape Waves into an AI-native, L2-integrated, and institutionally anchored blockchain powerhouse.

Here’s what’s ahead 👇🌊 pic.twitter.com/R5uycNgRSA

— Waves 🌊 (@wavesprotocol) June 18, 2025

Waves was one of the high-profile ICOs in 2018, though it managed to raise just $18M. Waves was also prominent in the early crypto ecosystem, being one of the first protocols to offer tokenized versions of BTC. The Waves protocol was also the venue for multiple crypto scams and fake tokens. 

Waves was largely forgotten after its native WAVES token crashed by 93% in 2022, from a peak above $55. WAVES later sank to recent lows of $0.99. 

Reportedly, the project’s founder, Sasha Ivanov, used the USDN stablecoin to pump WAVES, later leading to a series of rug pulls. Waves used the chaotic early-stage DeFi, causing up to $500M in losses. However, unlike FTX, Luna, and other crashes in 2022, Waves was never investigated, and the events were forgotten. 

In 2025, Waves is attempting to make a return, with the double risk of financial losses and outright compromised wallets. 

Waves repos linked to DPRK hacking activity

Researchers from Ketman threat intelligence were scanning GitHub repositories for signs of hacking and the involvement of DPRK contributors. The scans follow several cases where DPRK developers infiltrated some of the biggest crypto projects. 

Suspicious activity was noticed in the Keeper wallet repo, which offered access to a browser extension wallet specifically created for the Waves ecosystem. 

Keeper Project is a spinoff of Waves and does not share teams. The early Waves team was also involved in building the wallet. Then, in the last three weeks, the repository started to receive new code. 

The suspicious account had full authority and was capable of controlling the repository and even making new wallet releases. The rights to the wallet release were linked to one GitHub account, which was suspected to belong to a DPRK hacker. The account included a potentially dangerous download link for the Keeper Wallet.

So far, there is no new release for Keeper, and the current wallet is considered relatively safe. However, a new release may be suspicious and cause harm, especially with the expected renewed marketing of Waves. 

The GitHub contributor AhegaoXXX also pushed an update that targeted and extracted wallet logs and errors to an external database, compromising privacy and being potentially malicious. The code may have capabilities to log wallet keys or phrases, though for now, it has not been added to the latest wallet release. 

Some of the code linked to Keeper Wallet has been published by the account of developer Maxim Smolyakov, leading the investigators to suspect some form of account takeover.

KEY Difference Wire: the secret tool crypto projects use to get guaranteed media coverage