Key Findings
- ZachXBT uncovered a coordinated network of 140 North Korean IT workers generating approximately $1M monthly in cryptocurrency
- The operation accumulated more than $3.5M starting from late November 2024 through fraudulent identity schemes targeting remote developer positions
- A payment coordination website called “luckyguys.site” relied on the easily guessable password “123456”
- Cryptocurrency earnings were laundered through Chinese banking channels and services including Payoneer
- Multiple wallet addresses associated with this network traced back to OFAC-sanctioned organizations and faced blacklisting by Tether
A blockchain investigator known as ZachXBT released internal documentation this week obtained from a compromised device used by a North Korean IT worker, uncovering an organized cryptocurrency fraud scheme that accumulated more than $3.5 million within several months.
An anonymous hacker who penetrated one worker’s device provided the information. ZachXBT shared the discovery on X, explaining how approximately 140 workers operating under a leader called “Jerry” were generating roughly $1 million monthly in cryptocurrency beginning in late November 2024.
1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.
I spent long hours going through all of it, none of which has ever been publicly released.
It revealed an intricate… pic.twitter.com/aTybOrwMHq
— ZachXBT (@zachxbt) April 8, 2026
The network relied on fabricated credentials to secure remote technology positions through platforms such as Indeed. Documentation revealed Jerry submitting applications for full-stack developer and software engineer openings while utilizing an Astrill VPN to conceal geographic location.
An unsent email draft showed Jerry pursuing a WordPress and SEO specialist opportunity at a Texas-based t-shirt business, requesting compensation of $30 hourly for 15 to 20 weekly hours.
A second worker identified as “Rascal” employed a fabricated identity paired with a Hong Kong address on payment documentation. The leaked materials also contained an image of an Irish passport associated with Rascal, though its actual usage remains unconfirmed.
Payment Coordination Infrastructure
The team managed financial transactions via a website known as “luckyguys.site.” Numerous platform accounts operated using the basic password “123456,” revealing significant security vulnerabilities.
This website served dual purposes as a communication channel and reporting system. Team members logged their earnings and awaited further directions through the platform. An administrative account designated PC-1234 validated payments and shared login credentials for cryptocurrency exchanges and financial technology services.
Three organizations mentioned in the documentation — Sobaeksu, Saenal, and Songkwang — currently face sanctions from the US Office of Foreign Assets Control.
Cryptocurrency proceeds underwent conversion to traditional currency through Chinese banking institutions and platforms like Payoneer. Tether froze one Tron wallet associated with the operation in December 2024.
Malicious Activity Planning and Educational Resources
The compromised data revealed several workers developing strategies for theft operations. One conversation mentioned plans to target Arcano on GalaChain using a Nigerian intermediary, though evidence confirming execution of this attack remains absent.
An administrator circulated 43 educational modules addressing reverse engineering software including Hex-Rays and IDA Pro, with emphasis on disassembly techniques, debugging processes, and malware examination.
The information trove contained 390 user accounts, conversation records, and browsing activity. Documentation showed 33 workers exchanging messages via IPMsg while connected to an identical network.
ZachXBT observed this collective demonstrated lower technical capabilities compared to other North Korean teams such as AppleJeus and TraderTraitor.
State-affiliated actors from North Korea have extracted more than $7 billion altogether since 2009. This particular network also maintained connections to the $280 million breach of Drift Protocol occurring on April 1, 2025.
