ZachXBT Exposes North Korean IT Workers Running $1M/Month Crypto Fraud Network

TLDR: ZachXBT obtained leaked data from 390 accounts on a North Korean internal payment server via infostealer. Over $3.5M moved through network wallets since late November 2025, with one Tron address frozen by Tether. Three OFAC-sanctioned companies — Sobaeksu, Saenal, and Songkwang — appeared directly in the breached data. Workers received IDA Pro cybersecurity training modules, pointing to capabilities beyond basic financial fraud. A major breach of an internal North Korean payment server has revealed a sophisticated fraud network generating nearly $1 million per month. On-chain investigator ZachXBT obtained data from an unnamed source, including 390 accounts, chat logs, and crypto transactions. The leaked data exposed fake identities, forged legal documents, and crypto-to-fiat conversion methods. Since late November 2025, over $3.5 million moved through the network’s payment wallet addresses. How the Payment Network Operated The breach originated from a compromised device belonging to a DPRK IT worker infected by an infostealer. Data extracted from the device included IPMsg chat logs, fake identity documents, and browser history. Investigators traced activity to a site called luckyguys[.]site, described as an internal payment remittance platform. The platform functioned similarly to a messaging app, allowing workers to report payments back to handlers. Ten users on the platform still had the default password, 123456, unchanged. The user list included roles, Korean names, cities, and coded group names consistent with known DPRK IT worker operations. Three sanctioned companies appeared in the data: Sobaeksu, Saenal, and Songkwang, all currently under OFAC sanctions. ZachXBT posted on X that the remittance pattern was consistent across users. Workers transferred crypto from exchanges or services, or converted funds to fiat through Chinese bank accounts via platforms like Payoneer. 1/ Recently an unnamed source shared data exfiltrated from an internal North Korea...