ZachXBT Reveals North Korean IT Workers’ Crypto Operations
In a recent exposé, ZachXBT unveiled crucial internal data from North Korean IT workers, shedding light on a staggering $3.5 million flow of cryptocurrency transactions since late 2025. The findings, derived from a compromised device, include sensitive data like 390 accounts, chat logs, and transaction records. This revelation highlights how the workers utilized fake identities, weak security measures, and coordinated systems to manage approximately $1 million in transactions monthly, posing serious implications for cybersecurity and global financial systems.
Exposing the Internal Payment System
ZachXBT’s investigation, shared in an extensive X thread, details the inner workings of a clandestine payment server employed by the Democratic People’s Republic of Korea (DPRK) IT workers. An anonymous source provided the dataset, which encompasses chat logs from IPMsg, account lists, and browser histories closely connected to fraudulent operations. A primary platform discussed among these workers is luckyguys[.]site, which serves as a remittance hub. This platform operated not only as a messaging tool but also as an essential reporting channel, allowing workers to submit earnings and receive operational instructions. Alarmingly, the security protocols were subpar, with numerous accounts using the default password "123456," exposing the system to potential breaches.
Transaction Patterns Revealing Crypto Flows
The transaction logs analyzed by ZachXBT depict a systematic movement of funds across various channels, showcasing a significant operational framework. Users transferred cryptocurrency from different exchanges or services, eventually converting it into fiat currency. A notable number of these transactions involved Chinese bank accounts and platforms like Payoneer for off-ramping, suggesting an intricate network designed to facilitate these operations discreetly. An administrative account, identified as PC-1234, played a crucial role in confirming payments and distributing account credentials tailored to diverse cryptocurrency exchanges and fintech platforms. According to ZachXBT, since November 2025, tracked wallet addresses have collectively processed over $3.5 million in transactions, linking many addresses directly to known DPRK entities.
Fabricated Identities and Coordination Among Workers
ZachXBT’s dataset further explains the methods employed by these workers to secure remote jobs utilizing fabricated identities. The compromised device data highlighted the existence of fake personas, job applications, and browser activity tied to these fraudulent operations. Notably, the workers frequently employed tools like Astrill VPN to obfuscate their actual locations. This investigation emerges in the backdrop of ZachXBT’s prior criticism aimed at Circle over a delay in addressing a $285 million Drift Protocol exploit. Internal communications among the workers suggested a high level of coordination across multiple platforms. Remarkably, communication even involved 33 workers collaborating on the same network via IPMsg, with Slack discussions referencing topics like deepfake job applicants and planned theft attempts.
Potential Cyber Threats and Future Implications
Among the communication threads, one user hinted at targeting a GalaChain project named Arcano through a Nigerian proxy. Although this specific attack hasn’t been confirmed, it underscores the possible threats posed by these workers’ coordinated strategies. Furthermore, extensive training materials circulated within the group’s network, revealing a focus on technical skill development. The group’s admin shared a collection of 43 modules covering advanced reverse engineering topics, such as Hex-Rays and IDA Pro, emphasizing their ongoing education in disassembly, debugging, and malware analysis techniques.
A Call for Increased Vigilance and Action
This shocking exposé by ZachXBT not only highlights the operational methods of North Korean IT workers but also urges industry participants and regulatory bodies to step up their vigilance. The weak security measures, coupled with fabricated identities and robust transaction networks, present a pressing risk to global financial systems and cybersecurity. While some actions have been taken, such as the freezing of a Tron wallet by Tether in December 2025, stakeholders must recognize the need for enhanced cybersecurity protocols. The ongoing evolution of techniques and tools among these workers necessitates a unified response to counter such sophisticated operations in the future. As the landscape of cybercrime continues to shift, comprehensive strategies to combat these threats will be essential for safeguarding financial integrity worldwide.
