On-chain investigator ZachXBT revealed details of a North Korean-linked operation after analyzing leaked data from an internal payment server.
His findings show a coordinated scheme generating about $1 million per month through fake identities, forged documents, and crypto-to-fiat conversions, with funds routed through platforms like Payoneer.
Key Points
- ZachXBT uncovered a DPRK-linked ~$1 million per month scheme using fake identities and forged documents.
- The operation has processed over $3.5 million since November 2025.
- Evidence revealed 33 IT workers communicating via IPMsg while using tools like Astrill VPN.
- Blockchain tracing linked wallet activity to known DPRK clusters, with one Tron address frozen by Tether in December 2025.
- DPRK-linked actors stole $2.02 billion in crypto in 2025 (60% of global theft), including a $1.5 billion Bybit hack.
Leaked Server Data Reveals Hidden Operation
Notably, the data came from a compromised device used by a DPRK IT worker linked to a hacking group. Interestingly, he identified malware on the device that exposed IPMsg chat logs, browsing history, and several fake identities used to apply for jobs.
Within those chats, users discussed a platform called luckyguys[.]site. The platform worked as an internal payment system, similar to a messaging app, where workers reported earnings to their handlers.
ZachXBT also found basic security failures on the platform. Specifically, at least ten users kept the default password 123456 unchanged. The system listed users with roles, Korean names, cities, and coded group names that match known DPRK IT worker structures.
Payment Structure and Fund Movement
In terms of fund movements, ZachXBT found that since late November 2025, the system has handled more than $3.5 million in crypto payments. Workers typically sent crypto from exchanges or other services, then converted those funds into cash through Chinese bank accounts or platforms such as Payoneer.
To coordinate the process, a central admin account known as PC-1234 confirmed payments and shared account details for different platforms, including crypto exchanges and fintech services.
Meanwhile, conversations between users, including one named Rascal, showed how the system managed payments between December 2025 and April 2026, often using fake identities. The system also included Hong Kong addresses for billing and goods, although ZachXBT noted that these addresses still need to be verified.
Blockchain tracking linked the payment wallets to known DPRK-related activity. Tether had frozen one Tron wallet in December 2025. The investigation highlighted two wallet addresses connected to the operation: “0xb…998” and “TSx…7L3.”
The Group Received Internal Trainings
The compromised device, linked to a user called Jerry, showed the use of Astrill VPN and multiple fake identities for job applications. Notably, internal Slack messages included a discussion about a blog post describing a DPRK deepfake job applicant.
Screenshots also showed 33 DPRK IT workers communicating through IPMsg on the same network. In one exchange, Jerry discussed a possible plan to steal from a project using a Nigerian proxy. The target was Arcano, a GalaChain-based game, though it remains unclear if they carried out the plan.
8/ Jerry’s compromised device shows usage of Astrill VPN and various fake personas applying for jobs.
An internal Slack showed ‘Nami’ sharing a blog post about a DPRK IT worker deepfake job applicant. A second user asked if it was them, while a third noted they aren’t allowed to… pic.twitter.com/7ZdGbX91WT
— ZachXBT (@zachxbt) April 8, 2026
The group also received regular technical training. Between November 2025 and February 2026, the admin shared 43 training modules focused on tools like Hex-Rays and IDA Pro.
The sessions covered disassembly, decompilation, debugging, and general cybersecurity skills. One link shared on Nov. 20 explained how to use IDA tools to analyze and unpack malicious software.
ZachXBT noted that this group appeared less advanced compared to better-known ones such as Lazarus Group, AppleJeus, and TraderTraitor, which are more efficient and pose greater risks.
North Korea’s Growing Role in Crypto Crime
Globally, North Korea’s involvement in crypto-related crime has continued to expand. In 2025, DPRK-linked groups stole at least $2.02 billion in cryptocurrency, per Chainalysis. This marked a 51% increase from 2024 and accounted for about 60% of the $3.4 billion stolen globally. Their estimated total crypto theft now stands at $6.75 billion.
One major incident occurred in February 2025, when the Lazarus Group exploited a weakness in Bybit’s system. The attack led to the theft of about $1.5 billion in Ethereum, making it the largest single crypto heist on record.
ZachXBT had earlier linked similar IT worker schemes to more than 25 crypto-related hacks or extortion cases in September 2025. These operations reportedly generated close to $800 million in 2024, with funds sent back to support the regime.
DisClamier: This content is informational and should not be considered financial advice. The views expressed in this article may include the author’s personal opinions and do not reflect The Crypto Basic opinion. Readers are encouraged to do thorough research before making any investment decisions. The Crypto Basic is not responsible for any financial losses.
Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
USDC 
Solana 
TRON 
Lido Staked Ether 
Figure Heloc 