The Impersonator

They say the best place to hide a lie is between two truths.

Security researchers - our digital knights, first responders when blood pools in the protocol moat, sleuths who unravel complex exploits in code while the rest of us doom scroll through liquidations and broken dreams.

For over a year, the former Twitter user known as Nick Franklin (0xNickLFranklin), dutifully played this role, offering enlightened exploit breakdowns with nearly supernatural timing, analyzing every major exploit with surgical precision.

Trust built tweet by careful tweet.

All while allegedly working for North Korea.

The mask slipped when 1inch co-founder Anton Bukev exposed a poisoned apple - a malicious APP file masquerading as a security report, triggering an investigation that unraveled not just one operative but an entire network of digital spies.

Behind the carefully crafted persona of a helpful security researcher lurked a state-sponsored threat actor tied to multiple hacks, including Radiant Capital's $50M breach, building entire fake protocols, and penetrating the heart of crypto's security apparatus.

In an industry obsessed with detecting smart contract vulnerabilities, how did we miss the human exploit hiding in plain sight?

Blockchain thrives on radical transparency. Every transaction visible. Every hack is traceable. Every screw-up immortalized on-chain.

Meanwhile, Nick Franklin stalked the wreckage like a digital vulture.

He slithered into Telegram groups, carved out a Twitter presence, and circled fresh corpses with remarkable timing.

His digital persona - security researcher, exploit analyst, protocol savior - a masterclass in memetic infiltration.

His Twitter feed read like a textbook of Web3 exploits, consistently materializing at zero hour.

First to report, first to explain - even referenced in previous Rekt News stories.

When covering Polter Finance, PrismaFi and Lifi/Jumper exploits - Nick somehow knew key details before others.

What appeared as uncanny talent now reeks of insider knowledge.

While legitimate security researchers scrambled to understand complex exploits, Franklin appeared on the scene with unsettling speed.

His GitHub hummed with activity. His Telegram overflowed with connections. His now-deleted digital footprint mapped exploits with what now appears to be insider knowledge.

Why always first on the scene? The answer reeks of obviousness.

It’s hard to be late when you're holding the match.

March 27th, the fantasy collapsed. When Anton Bukev publicly called out Franklin's suspicious APP file, the dominoes fell with brutal efficiency.

Our "security researcher" wasn't just another Discord degen with a GitHub account - he was digital camouflage for North Korea's elite Lazarus Group, architects behind some of crypto's bloodiest heists.

This wasn't some half-assed phishing campaign with broken English and misspelled domains. Franklin played the long game - methodically building reputation through thousands of messages, hundreds of interactions, and a web of connections that would make a spider jealous.

When we search for exploits in code, who's searching for the exploits sitting at the keyboard?

The Radiant Connection

Security researchers analyze hacks.

Hackers create them.

October 2024, Radiant Capital hemorrhaged $50 million in a meticulously executed multisig compromise.

When investigator tanuki42 and Taylor Monahan dug through Franklin's digital leftovers, they discovered a smoking gun.

An address Franklin casually used to request Sepolia testnet ETH matched one identified in Monahan's repository of Lazarus Group addresses - specifically, an address used for testing the exact attack that gutted Radiant.

Franklin wasn’t just studying security vulnerabilities - he may have been creating them. And when Radiant Capital lost $50 million, the fingerprints were already there.

Just weeks before the Radiant attack, Franklin's Telegram lit up with increasingly agitated messages about the protocol. In hindsight, these weren't security concerns but reconnaissance updates.

Even more brazen - Franklin was asking about Radiant two months before the attack while using one of the very accounts that would later execute the heist.

The digital equivalent of casing a bank while wearing your getaway driver's nametag.

Reviewing his post-hack analysis reveals a nauseating mix of technically accurate information (how convenient) sprinkled with misdirection to obscure his team's tracks.

His final, desperate message when confronted by Bukev claimed his "Telegram and personal site was compromised" - the digital equivalent of "the dog ate my homework" from a state-sponsored threat actor with nuclear missiles.

But Radiant wasn't the end game - just one heist in a larger operation.

How deep does this rabbit hole of deception really go?

The Network Unveiled

Yank on Franklin's digital identity and watch a whole nation tumble out.

One DPRK operative wasn't enough, so they sent a team.

Based on the analysis of blackbigswann of Ketman, Franklin wasn’t operating alone.

Behind his facade lay a network - fake protocols, malware ops, and front-end devs running both exploits and low-effort scams

Aqua Protocol - a fake lending platform with $800k in liquidity - floated in DeFi waters like bait on a hook. Franklin wasn't just analyzing hacks, he was building honeypots.

When Franklin's cover blew, Aqua Protocol's GitHub vanished faster than an exchange's reserves during a bank run.

Every repository, every commit, every trace - gone.

Behind him stood more shadows.

SonataM built front-ends. CrazyDream000 copied his work under new names. Jewelas connected both. One team, multiple masks.

These hackers worked both sides of the street.

APT malware for security teams Monday. "Trumpshair" tokens Tuesday. Job applications Wednesday.

North Korean hackers moonlighting as gutter-level scammers - million-dollar multisig exploits alongside shitcoin rugpulls named after presidential hairstyles.

When the same fingers typing your security audits are also coding your exploits, can any digital lock truly be trusted?

The Poisoned Apple

North Korea's digital disguise finally cracked with a poisoned apple.

The smoking gun? A malicious APP file Franklin tried to slide to 1inch co-founder Anton Bukev under the guise of a "security report."

Bukev wasn't born yesterday. The exchange triggered immediate suspicion - why send a suspicious executable instead of a standard PDF?

When questioned, Franklin promptly vanished - erasing chat history and blocking Bukev faster than a rug pull transaction.

The APP file bears all hallmarks of DPRK's infamous Lazarus Group, specifically their AppleJeus/Citrine Sleet operation.

Security researcher Pascal Caversaccio's analysis confirmed high-confidence attribution to North Korean state actors.

Why craft zero-days when social engineering opens the door?

Technical elegance takes a backseat to human manipulation - the oldest exploit in the book.

Most telling - when confronted, Franklin struggled to perform the crypto world's simplest CAPTCHA: publicly insulting Kim Jong-un.

The challenge went conspicuously unanswered.

If Bukev hadn't caught Franklin's moves, how many more poisoned reports would have found their way to crypto's inner circles?

Franklin vanished but left behind digital paranoia.

Security researchers analyze exploits. Security researchers write post-mortems. Security researchers join Telegram groups. Security researchers apply for jobs at your protocol.

Which ones work for Kim Jong-un?

Nick Franklin perfected his security analyst persona for over a year, gaining trust, accessing information, targeting high-value contacts.

One slip exposed him, but he succeeded far longer than he should have.

Crypto celebrates trustless systems while forgetting humans still build them.

Code gets three audits while people get none.

Digital ghosts now haunt Discord channels. Job applications. Helpful anons explaining yesterday's exploit.

How many more wolves hide among the watchdogs, patiently waiting to feast?

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.