North Korean IT specialists are posing as regular developers to infiltrate crypto projects, only to later hack them. This was reported by on-chain detective ZachXBT.
1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.
— ZachXBT (@zachxbt) April 8, 2026
I spent long hours going through all of it, none of which has ever been publicly released.
It revealed an intricate… pic.twitter.com/aTybOrwMHq
An anonymous source provided the expert with data from an internal North Korean payment server. The leak included 390 accounts, chat logs, and cryptocurrency transactions.
"I spent hours analyzing this data. It has never been published. The scheme turned out to be complex: fake identities, forged documents, and converting crypto to fiat at around $1 million per month," the expert wrote.
How the Scheme Works
One North Korean IT specialist, known as Jerry, had his computer hacked. The extracted data included chat logs from the IPMsg messenger, fake job seeker profiles, and browser history.
Analysis revealed that on the site luckyguys[.]site—an internal payment platform styled like Discord—fraudsters reported their received payments to their supervisors. The default password—"123456"—was left unchanged for ten users.
In their accounts, ZachXBT found roles, Korean names, cities, and code names for groups reflecting the activities of North Korean developers.
3/ The site's default password was 123456, which remained unchanged for ten users.
— ZachXBT (@zachxbt) April 8, 2026
The user list included roles, Korean names, cities, and coded group names consistent with DPRK IT worker operations.
Three companies which appeared are currently OFAC sanctioned: Sobaeksu,… pic.twitter.com/rKYS0TR9BL
The three companies mentioned in the report—Sobaeksu, Saenal, and Songkwang—are under OFAC sanctions.
Immediately after the investigation was published, the luckyguys[.]site became inaccessible.
Update: The internal DPRK payment site has since been taken down after my post.
— ZachXBT (@zachxbt) April 9, 2026
However, all data was archived in advance. pic.twitter.com/9cRdopal5g
Details of Operations
From December 2025 to April 2026, a WebMsg user under the alias Rascal discussed payment transfers and the creation of fake identities with PC-1234. All transactions were processed through the server admin account PC-1234, who confirmed them.
4/ Here is one of the WebMsg users 'Rascal' and their DMs with PC-1234 detailing payment transfers and the use of fraudulent identities from December 2025 through April 2026.
— ZachXBT (@zachxbt) April 8, 2026
All payments are processed and confirmed through the server admin account: PC-1234.
Addresses in Hong… pic.twitter.com/akyjmTbL5J
Accounts and goods were paid for through addresses in Hong Kong (their authenticity is still being verified). Since late November 2025, over $3.5 million has been transferred to these wallets.
The transfer scheme was consistent: users either sent cryptocurrency from exchanges or services or converted it to fiat through Chinese bank accounts using platforms like Payoneer.
Structure and Hacking Attempts
Based on the collected data, ZachXBT reconstructed the entire organizational structure of the network, detailing payments to each user and group from December 2025 to February 2026.
Analysis of internal transactions revealed on-chain connections to several known clusters of North Korean IT workers. In December 2025, Tether froze one such wallet on the TRON network.
On Jerry's hacked device, traces of VPN usage and numerous fake resumes were found.
In a Slack chat, a user named Nami shared an article about a deepfake job applicant from North Korea. One colleague asked if it referred to them, while another noted that they were prohibited from sharing external links.
8/ Jerry's compromised device shows usage of Astrill VPN and various fake personas applying for jobs.
— ZachXBT (@zachxbt) April 8, 2026
An internal Slack showed 'Nami' sharing a blog post about a DPRK IT worker deepfake job applicant. A second user asked if it was them, while a third noted they aren't allowed to… pic.twitter.com/7ZdGbX91WT
Jerry actively discussed with another North Korean IT worker the possibility of stealing funds from the Arcano project (a game on GalaChain) through a Nigerian proxy. It remains unclear whether they succeeded in executing the attack.
Training and Threat Level
From November 2025 to February 2026, the administrator sent the group 43 training modules on Hex-Rays/IDA Pro. The training included disassembly, decompilation, local and remote debugging, and other aspects of cybersecurity.
ZachXBT noted that this group of North Korean IT specialists is less sophisticated compared to AppleJeus and TraderTraitor, which operate more effectively and pose a greater threat to the industry.
He previously estimated the monthly earnings of North Korean developers at several million dollars, and the latest data confirmed these calculations.
"My unpopular opinion: hackers are wasting time not attacking low-level North Korean groups. The risk is low, there's almost no competition, and the targets may be worth it," the on-chain detective emphasized.
How to Identify a North Korean Hacker
A video went viral on social media X showing an interview where a North Korean IT worker was asked to insult the country's leader, Kim Jong Un.
Here is a video of a North Korean IT worker being stopped dead in their tracks upon being required to insult Kim Jong Un.
— tanuki42 (@tanuki42_) April 6, 2026
It won't work forever, but right now it's genuinely an effective filter. I'm yet to come across one who can say it. https://t.co/8FFVPxNm8X pic.twitter.com/KXI5efMo5L
The candidate did not comply—immediately after the request, the video froze. This could be due to the fact that criticizing the leader is punishable by law in North Korea.
The developer posed as a Japanese named Taro Aikuchi. The day after the video was published, he deleted his resumes from LinkedIn and his personal website, and changed his nickname on Telegram.
It is worth noting that in April, security researcher Taylor Monahan stated that North Korean IT specialists have been infiltrating DeFi protocols for at least seven years.
Among the projects affected by individuals from North Korea, she highlighted SushiSwap, Thorchain, Fantom, Shib, Yearn, Floki, and many others.