A major investigation by blockchain analyst ZachXBT has exposed a sophisticated North Korean IT worker network generating approximately $1 million per month through a coordinated system of identity fraud, fake job applications, and cryptocurrency theft. The breach, stemming from a compromised device infected with an infostealer, revealed the inner workings of a group involving at least 140 members.
The leaked data, shared by an unnamed hacker, included 390 accounts, chat logs, and transaction records. The group operated a payment coordination website called "luckyguys.site" protected by the weak password "123456." Members funneled crypto proceeds through wallets linked to OFAC-sanctioned North Korean entities like Sobaeksu, Saenal, and Songkwang, before converting funds to fiat via platforms like Payoneer and sending them to Chinese bank accounts.
Operational details were stark. The group maintained a leaderboard tracking each member's crypto contributions since December 8. One worker, "Jerry," used a VPN to apply for remote developer jobs on Indeed, seeking roles like a WordPress specialist for a Texas company at $30/hour. Falsified identification documents, including a fake Hong Kong billing statement and an Irish passport, were used to create fraudulent identities.
ZachXBT noted these workers were less sophisticated than other notorious North Korean hacking groups like AppleJeus and TraderTraitor. However, the exposure highlights the persistent threat state-backed actors pose to the crypto industry. North Korean entities have stolen over $7 billion since 2009, with recent major attacks including the $1.4 billion Bybit hack and the $625 million Ronin bridge exploit.
