TLDR
- Blockchain investigator ZachXBT exposed a network of 140 North Korean IT workers earning ~$1M/month in crypto
- The group made over $3.5M since late November 2024 using fake identities to land remote developer jobs
- They used a payment site called “luckyguys.site” secured with the password “123456”
- Funds were converted to fiat via Chinese bank accounts and platforms like Payoneer
- Wallet addresses linked to the group were connected to OFAC-sanctioned entities and blacklisted by Tether
Blockchain investigator ZachXBT published internal data this week from a compromised device belonging to a North Korean IT worker, revealing a coordinated crypto fraud operation that generated over $3.5 million in just a few months.
The data was shared by an unnamed hacker who had breached one of the workers’ devices. ZachXBT posted the findings on X, detailing how a team of roughly 140 workers, led by someone identified as “Jerry,” was pulling in approximately $1 million per month in crypto since late November 2024.
1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.
I spent long hours going through all of it, none of which has ever been publicly released.
It revealed an intricate… pic.twitter.com/aTybOrwMHq
— ZachXBT (@zachxbt) April 8, 2026
The workers used fake identities to apply for remote tech jobs on platforms like Indeed. One screenshot showed Jerry applying for full-stack developer and software engineer roles using an Astrill VPN to mask his location.
In one unsent email, Jerry applied for a WordPress and SEO specialist position at a Texas t-shirt company, asking for $30 an hour for 15 to 20 hours of work per week.
Another worker, known as “Rascal,” used a fake name and Hong Kong address on billing documents. Rascal also had a picture of an Irish passport in the leaked files, though it is unclear if it was used.
How the Payment System Worked
The group coordinated payments through a site called “luckyguys.site.” Multiple accounts on the platform used the default password “123456,” pointing to poor internal security.
The site functioned as both a messaging and reporting hub. Workers submitted earnings and received instructions through it. An admin account labeled PC-1234 confirmed payments and distributed credentials for crypto exchanges and fintech platforms.
Three entities named in the data — Sobaeksu, Saenal, and Songkwang — are currently under US Office of Foreign Assets Control sanctions.
Funds were converted from crypto to fiat using Chinese bank accounts and services like Payoneer. One Tron wallet connected to the network was frozen by Tether in December 2024.
Hacking Plans and Training Materials
The leaked data also showed that some workers were planning theft attempts. One chat referenced targeting a project called Arcano on GalaChain through a Nigerian proxy, though the data does not confirm the attack happened.
An admin distributed 43 training modules covering reverse engineering tools including Hex-Rays and IDA Pro, focused on disassembly, debugging, and malware analysis.
The dataset included 390 accounts, chat logs, and browser histories. In one instance, 33 workers were found communicating through IPMsg on the same network.
ZachXBT noted this group was less sophisticated than other North Korean units like AppleJeus and TraderTraitor.
North Korean state-linked actors have stolen over $7 billion in total since 2009. The group was also linked to the $280 million hack of Drift Protocol on April 1, 2025.
