North Korean IT specialists have been posing as ordinary developers to join crypto projects they later try to compromise, according to on-chain sleuth ZachXBT.
1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.
I spent long hours going through all of it, none of which has ever been publicly released.
It revealed an intricate… pic.twitter.com/aTybOrwMHq
— ZachXBT (@zachxbt) April 8, 2026
An unnamed source provided the researcher with data from an internal DPRK payments server. The leak included 390 accounts, chat logs and crypto transactions.
“I spent hours studying these data. They have never been published. The scheme turned out to be intricate: fake identities, forged documents and conversion of crypto to fiat at roughly $1m a month,” the expert wrote.
How the scheme worked
The computer of one DPRK IT worker, who used the handle Jerry, was compromised. Extracted data included IPMsg chat logs, fake job-seeker profiles and browser history.
Analysis showed that on luckyguys[.]site—an internal payments platform with a Discord-like interface—the fraudsters reported incoming payments to their handlers. The default password—“123456”—was left unchanged for ten users.
Their accounts, ZachXBT found, listed roles, Korean names, cities and coded group names reflecting DPRK IT-worker operations.
3/ The site’s default password was 123456, which remained unchanged for ten users.
The user list included roles, Korean names, cities, and coded group names consistent with DPRK IT worker operations.
Three companies which appeared are currently OFAC sanctioned: Sobaeksu,… pic.twitter.com/rKYS0TR9BL
— ZachXBT (@zachxbt) April 8, 2026
Three companies that appeared in the records—Sobaeksu, Saenal and Songkwang—are sanctioned by OFAC.
Soon after the investigation was published, luckyguys[.]site went offline.
Update: The internal DPRK payment site has since been taken down after my post.
However all data was archived in advance. pic.twitter.com/9cRdopal5g
— ZachXBT (@zachxbt) April 9, 2026
Operational details
From December 2025 to April 2026 a WebMsg user styling himself Rascal discussed payment transfers and the creation of fake identities in DMs with PC-1234. All transactions ran through, and were approved by, the server admin account PC-1234.
4/ Here is one of the WebMsg users ‘Rascal’ and their DMs with PC-1234 detailing payment transfers and the use of fraudulent identities from December 2025 through April 2026.
All payments are processed and confirmed through the server admin account: PC-1234.
Addresses in Hong… pic.twitter.com/akyjmTbL5J
— ZachXBT (@zachxbt) April 8, 2026
Accounts and goods were paid for via addresses in Hong Kong (their authenticity is still being verified). Since late November 2025 those wallets have received more than $3.5m.
The flow was formulaic: users either sent crypto from an exchange or service, or converted it to fiat via Chinese bank accounts using platforms such as Payoneer.
Structure and intrusion attempts
Drawing on the dataset, ZachXBT reconstructed the network’s organisational chart, including per-user and per-group payouts for December 2025 to February 2026.
Analysis of internal transactions revealed on-chain links to several known DPRK IT-worker clusters. In December 2025 Tether froze one such wallet on TRON.
Jerry’s compromised device showed VPN usage and a trove of fabricated resumes.
In an internal Slack, a user called Nami shared a blog post about a DPRK IT-worker deepfake job applicant. One colleague asked whether it was them; another noted they were not allowed to forward external links.
8/ Jerry’s compromised device shows usage of Astrill VPN and various fake personas applying for jobs.
An internal Slack showed ‘Nami’ sharing a blog post about a DPRK IT worker deepfake job applicant. A second user asked if it was them, while a third noted they aren’t allowed to… pic.twitter.com/7ZdGbX91WT
— ZachXBT (@zachxbt) April 8, 2026
Jerry actively discussed with another DPRK IT worker the possibility of stealing funds from Arcano (a game on GalaChain) via a Nigerian proxy. It is unclear whether the attack was ever carried out.
Training and threat level
From November 2025 to February 2026 the administrator sent the group 43 Hex-Rays/IDA Pro training modules. The coursework covered disassembly, decompilation, local and remote debugging, and other aspects of cybersecurity.
ZachXBT noted that this DPRK IT group is less sophisticated than AppleJeus and TraderTraitor, which operate more effectively and pose the main threat to the industry.
He had previously estimated the earnings of North Korean developers at several million dollars a month, and the latest data corroborate those figures.
“My unpopular opinion: hackers are missing out by not attacking low-level DPRK groups. The risk is low, competition is almost non-existent, and the targets may be worth it,” the on-chain detective emphasised.
How to spot a North Korean hacker
A video from a job interview recently went viral on X, in which a DPRK IT worker was asked to insult the country’s leader, Kim Jong Un.
Here is a video of a North Korean IT worker being stopped dead in their tracks upon being required to insult Kim Jong Un.
It won’t work forever, but right now it’s genuinely an effective filter. I’m yet to come across one who can say it. https://t.co/8FFVPxNm8X pic.twitter.com/KXI5efMo5L
— tanuki42 (@tanuki42_) April 6, 2026
The candidate did not comply—the picture froze immediately after the request. One reason may be that criticising the leader is a criminal offence in North Korea.
The developer posed as a Japanese man named Taro Aikuchi. The day after the clip was posted he deleted his resumes from LinkedIn and his personal site, and changed his Telegram handle.
In April, MetaMask security researcher Taylor Monahan said that North Korean IT specialists have been getting hired at DeFi protocols for at least seven years.
Among the projects she highlighted were SushiSwap, Thorchain, Fantom, Shib, Yearn, Floki and many others.