North Korean Crypto Scheme Exposed: $3.5M Stolen Through Fake Developer Identities
A sophisticated North Korean crypto fraud scheme involving 140 IT professionals was uncovered, generating about $1 million monthly and accumulating over $3.5 million since late 2024 through fake developer identities. The operation used weak security measures and laundered funds via Chinese banking channels and services like Payoneer, with associated wallets frozen by Tether due to OFAC sanctions. This exposure highlights ongoing risks of state-sponsored crypto crime and the effectiveness of blockchain forensics in disrupting illicit activities.
Key Highlights On-chain detective ZachXBT uncovered a sophisticated operation involving 140 North Korean IT professionals generating approximately $1 million monthly in cryptocurrency The network accumulated more than $3.5 million since late November 2024 through fraudulent identities used to secure remote development positions Operators utilized a payment portal dubbed “luckyguys.site” protected by the elementary password “123456” Cryptocurrency proceeds were liquidated through Chinese banking channels and services including Payoneer Digital wallet addresses associated with the operation were traced to OFAC-sanctioned organizations and subsequently frozen by Tether Renowned blockchain detective ZachXBT released confidential information this week obtained from a hacked device owned by a North Korean IT operative, exposing an organized cryptocurrency fraud scheme that amassed more than $3.5 million within several months. The intelligence was provided by an anonymous security researcher who successfully infiltrated one of the operatives’ computers. ZachXBT shared his analysis on X, explaining how approximately 140 workers, supervised by an individual using the alias “Jerry,” were generating roughly $1 million monthly in cryptocurrency starting in late November 2024. 1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions. I spent long hours going through all of it, none of which has ever been publicly released. It revealed an intricate… pic.twitter.com/aTybOrwMHq — ZachXBT (@zachxbt) April 8, 2026 The operatives employed fabricated identities to secure remote technology positions on job boards such as Indeed. Evidence revealed Jerry submitting applications for full-stack development and software engineering opportunities while utilizing Astrill VPN to conceal geographical location. In a draft correspondence discovered in the breach, Jerry pursued a WordPress and SEO s...
Comments
Log in to comment