ZachXBT Uncovers $3.5M Operation by North Korean Fake Devs Inside Crypto Firms

A large batch of leaked internal data has revealed that North Korean IT workers generated over $3.5 million in cryptocurrency in recent months through a coordinated operation involving fake developer identities and structured payment systems, according to blockchain investigator ZachXBT. The information surfaced after an unnamed hacker compromised one of the workers’ devices, exposing records from an internal payment server tied to nearly 390 accounts, along with chat logs, browser data, and falsified identity documents used to secure jobs. North Korean Crypto Operation The dataset shows the operation brought in roughly $1 million per month, and individuals used forged credentials to obtain roles across projects while routing their earnings through an internal platform. ZachXBT revealed that communication and payment tracking were handled through a platform known as “luckyguys.site,” which functioned as an internal hub where workers logged transactions and reported income to administrators. The platform appeared to have minimal security safeguards, and multiple users relied on a default password. User listings included roles, locations, and group identifiers similar to known North Korean IT worker structures, including links to entities sanctioned by the US Treasury’s Office of Foreign Assets Control, such as Sobaeksu, Saenal, and Songkwang. Meanwhile, chat records indicate that a central administrator account was responsible for confirming incoming transfers and distributing account credentials for various financial services. Payments typically followed a consistent pattern, where funds received in cryptocurrency from exchanges or clients were converted into fiat and transferred through Chinese bank accounts using payment platforms like Payoneer. Blockchain tracing of these flows revealed connections to previously identified North Korean-linked wallets, including addresses later frozen by Tether in late 2025. Data extracted from the compromised device, associate...