Key Highlights
- On-chain sleuth ZachXBT uncovered a sophisticated ring of 140 North Korean tech workers generating approximately $1M monthly in cryptocurrency
- The operation accumulated more than $3.5M from late November 2024 through fraudulent remote employment schemes
- Workers coordinated through “luckyguys.site,” a platform protected by the notoriously weak password “123456”
- Cryptocurrency proceeds were laundered through Chinese banking channels and services including Payoneer
- Multiple wallet addresses associated with the operation traced back to OFAC-sanctioned organizations and faced Tether blacklisting
Renowned blockchain detective ZachXBT unveiled compromised internal documents this week from a hacked device owned by a North Korean technology worker, exposing a sophisticated cryptocurrency fraud scheme that accumulated more than $3.5 million within mere months.
An anonymous cybersecurity researcher who infiltrated one of the workers’ computers provided the intelligence. ZachXBT shared his analysis on X, explaining how approximately 140 operatives, managed by an individual identified as “Jerry,” were generating roughly $1 million monthly in digital assets beginning in late November 2024.
1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.
I spent long hours going through all of it, none of which has ever been publicly released.
It revealed an intricate… pic.twitter.com/aTybOrwMHq
— ZachXBT (@zachxbt) April 8, 2026
The operatives leveraged fabricated identities to secure remote technology positions through job boards such as Indeed. Evidence included Jerry’s applications for full-stack development and software engineering positions while using Astrill VPN to conceal his true location.
Documentation revealed Jerry’s draft application for a WordPress and SEO specialist role at a Texas-based apparel company, requesting compensation of $30 hourly for 15 to 20 weekly hours.
A separate operative called “Rascal” employed falsified credentials and a Hong Kong mailing address on financial paperwork. The leaked materials also contained an image of an Irish passport, though its actual deployment remains unconfirmed.
Payment Infrastructure and Operations
The collective managed financial transactions via a website called “luckyguys.site.” Numerous user accounts on this platform relied on the elementary password “123456,” demonstrating remarkably lax operational security.
The platform served dual purposes as both a communication channel and financial reporting system. Operatives logged their income and received directives through the interface. An administrator account designated PC-1234 validated transactions and provided access credentials for cryptocurrency exchanges and financial technology services.
Three organizations mentioned in the documents — Sobaeksu, Saenal, and Songkwang — currently appear on US Office of Foreign Assets Control sanctions lists.
Digital currency was converted to traditional money through Chinese financial institutions and platforms like Payoneer. Tether froze one connected Tron wallet in December 2024.
Attack Strategies and Educational Content
The compromised files revealed several operatives were plotting theft operations. One conversation discussed targeting the Arcano project on GalaChain using a Nigerian intermediary, though actual execution remains unverified.
Administrative personnel circulated 43 educational modules addressing reverse engineering technologies including Hex-Rays and IDA Pro, emphasizing disassembly techniques, debugging procedures, and malware examination.
The complete dataset encompassed 390 user credentials, conversation records, and browsing activity. One discovery showed 33 workers coordinating through IPMsg on an identical network infrastructure.
ZachXBT observed this collective displayed less technical refinement compared to other North Korean operations such as AppleJeus and TraderTraitor.
North Korean state-sponsored threat actors have misappropriated over $7 billion cumulatively since 2009. This particular group also maintained connections to the $280 million Drift Protocol breach occurring on April 1, 2025.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
