Munchables Insider Exploit

On March 26, 2024, the Blast NFT game Munchables lost 17,413 ETH — about $62.8 million at the time — to one of its own developers. After negotiation, the attacker returned every cent without a ransom demand.

What happened

Months earlier, Munchables had hired four developers to write its smart contracts. On-chain investigator ZachXBT later showed strong evidence that all four developer personas were the same individual — likely a North Korean operative working under multiple aliases, most notably the GitHub user Werewolves0493.

The developer had written the game's lock contract, which held user deposits, and crucially had retained the ability to upgrade it. Months after deployment, they did exactly that — pushing an upgrade that assigned themselves a deposited balance of 1,000,000 ETH, far more than the contract actually held. They then withdrew the full pool balance of 17,413 ETH against this fake balance.

Aftermath

• Munchables' founders publicly negotiated with the attacker via on-chain messages. Within roughly 24 hours, the developer returned all private keys controlling the stolen funds — no ransom paid.
• Munchables paused operations, completed an emergency contract audit and migrated to a redesigned lock contract.
• The episode confirmed long-standing suspicions about North Korean operatives planting themselves as remote developers in crypto projects. ZachXBT documented similar engagements at half a dozen other protocols, with several other teams subsequently quietly cutting ties with suspect contractors.

Why it matters

Munchables crystallised the insider-developer threat model for crypto. Open hiring, anonymous contributors and remote-first workflows are core to how the industry moves fast — and they are exactly the conditions in which a planned long-term infiltration is hardest to detect. KYC for contractors with privileged commit access has since become more common, particularly for any developer who can ship contract upgrades.