A network of North Korean IT workers generated more than $3.5 million in cryptocurrency over a matter of months by assuming false identities to secure developer jobs, while simultaneously attempting to compromise crypto projects. The data exposing the operation was obtained by an unnamed hacker who breached one of the workers’ devices and subsequently shared the findings with blockchain investigator ZachXBT, who published the information on X on Wednesday.
According to the leaked materials, a worker identified as Jerry led a team of 140 individuals collectively earning approximately $1 million per month, accumulating around $3.5 million in crypto since late November. The group coordinated payments through a website called luckyguys.site, protected by the shared password “123456.” ZachXBT noted that several users on the platform appeared to be affiliated with Sobaeksu, Saenal, and Songkwang, all of which are sanctioned by the US Office of Foreign Assets Control.
The cryptocurrency payments were converted into fiat currency and routed to Chinese bank accounts through online payment services including Payoneer. Tracing the associated wallet addresses also uncovered connections to other North Korean wallets that had been blacklisted by Tether in December, ZachXBT reported. The operation maintained an internal leaderboard tracking how much each worker had contributed to the group since December 8, with links to blockchain explorer pages displaying transaction records.
Screenshots shared by ZachXBT showed that Jerry used an Astrill virtual private network to access Gmail and submit job applications for full-stack developer and software engineer positions on Indeed. In one unsent email, Jerry drafted a cover letter for a WordPress content and search engine optimization role at a Texas-based T-shirt company, requesting $30 per hour for 15 to 20 hours of work per week. Identification documents were also falsified as part of the scheme.
A second worker, identified as Rascal, shared images of a billing statement bearing a fabricated name and a fake address in Hong Kong. Rascal also shared a photograph of an Irish passport, though it remains unclear whether the document was actively used in any application. The use of forged credentials points to a deliberate and organized effort to conceal the workers’ true origins and affiliations.
Despite the scale of the operation, ZachXBT noted that these IT workers were less sophisticated than other North Korean hacking groups such as AppleJeus and TraderTraitor, which he described as operating “far more efficiently and present the greatest risks to the industry.” North Korean state-backed actors have stolen more than $7 billion in funds since 2009, with a significant portion coming from cryptocurrency platforms. High-profile incidents attributed to the regime include the $1.4 billion breach of crypto exchange Bybit and the $625 million Ronin bridge hack.
North Korean hackers were also blamed for a $280 million attack on Drift Protocol on April 1. The continued activity of these groups underscores the persistent and evolving threat that state-linked actors pose to the broader cryptocurrency industry. Investigators and industry participants remain on alert as tactics grow increasingly elaborate.
Originally reported by CoinTelegraph.
