Blockchain investigator ZachXBT has identified a North Korean crypto scammer who generates almost $1 million monthly after an unnamed hacker broke into one of the operation’s internal devices and shared the data.
A dataset containing 390 user accounts, chat logs, and crypto transaction records obtained straight from the payment server used by the group was published by ZachXBT on X on April 8, 2026. According to the findings of the analyst ZachXBT, network has processed over $3.5 million in crypto since late November 2025 with a 140-member team working for $1 million per month.
Inside the payment server: weak passwords and OFAC-sanctioned firms
At the center of the operation was a website called “luckyguys.site,” which functioned as an internal remittance hub where workers submitted earnings and received instructions. Access to the site was secured with a shared default password, “123456”, which ten users had never changed, ZachXBT noted in his thread.
The user list included Korean names, geographic identifiers, and coded group names. More critically, three companies that appeared directly in the data, Sobaeksu, Saenal, and Songkwang, are currently sanctioned by the U.S. Office of Foreign Assets Control (OFAC), linking the network to previously identified state-backed operations. Internal records also showed 33 workers communicating simultaneously on the same network through a messaging tool called IPMsg.
Your completely free resource hub designed to boost your knowledge of cryptocurrencies
An administrative account labelled “PC-1234” confirmed incoming payments and distributed login credentials for crypto exchanges and fintech platforms. Workers then converted crypto to fiat using Chinese bank accounts, routing funds through online payment platforms including Payoneer. Blockchain tracing tied several wallet addresses to known DPRK-linked clusters; one Tron address had already been frozen by Tether in December 2025.
Fake IDs, forged passports, and job applications on Indeed
The investigation revealed a detailed identity fraud operation running alongside the payments network. A worker identified as “Jerry” used an Astrill VPN to mask his location while applying for software engineering and full-stack developer roles on Indeed. One unsent draft email showed Jerry preparing a job application for a WordPress SEO content position at a Texas-based T-shirt company, requesting $30 per hour for 15 to 20 hours a week.
Another worker, “Rascal,” shared billing statements using a fake name and address in Hong Kong, alongside what appeared to be an Irish passport. Internal Slack logs captured a conversation where users discussed a blog post about North Korean IT workers using deepfake technology to apply for jobs, raising the question, as ZachXBT noted, of whether the workers recognised themselves in the story. Jerry’s chat logs also showed plans to steal funds from Arcano, a GalaChain-based game, using a Nigerian proxy.
Cybersecurity training, the group was preparing for more than payroll fraud
Perhaps the most significant revelation was the scale of technical training inside the group. Between November 2025 and February 2026, the network’s admin distributed 43 training modules covering tools like Hex-Rays and IDA Pro, industry-standard software used for reverse engineering and malware analysis. Sessions covered disassembly, decompilation, local and remote debugging, and how to unpack hostile executables.
ZachXBT assessed this group as less sophisticated than elite DPRK units such as AppleJeus and TraderTraitor, which “operate far more efficiently and present the greatest risks to the industry.” But the training data suggests the group was actively developing its hacking capabilities, not simply running a jobs-based income scheme.
The bigger picture: North Korea’s crypto theft machine is growing
This exposure sits within a rapidly escalating pattern of North Korean state-backed activity targeting the crypto industry. According to Chainalysis, DPRK-linked actors stole a record $2.02 billion in 2025 alone, a 51% year-on-year increase, with the $1.5 billion Bybit breach accounting for a large share. Elliptic has tracked at least 18 DPRK-attributed crypto thefts in 2026 so far, pushing total losses for the year past $300 million.
The threat runs deeper than remote job scams. Just a week before ZachXBT’s findings, Drift Protocol, the largest decentralised perpetuals exchange on Solana, was drained of approximately $285 million in what investigators at Elliptic and TRM Labs described as a six-month infiltration campaign by UNC4736, a North Korean state group also tracked as AppleJeus or Citrine Sleet. Attackers built trust with the Drift team over months, attended industry conferences, deposited over $1 million in real capital, and then compromised two multisig signers through a malicious TestFlight app and a known VSCode vulnerability before executing the attack in roughly 12 minutes.
Separately, ZachXBT also revealed that ElementalDeFi, a Solana-based DeFi project, had unknowingly employed a DPRK IT worker for years, adding further weight to security researcher Taylor Monahan’s warning that over 40 DeFi protocols may have hired state-sponsored North Korean developers since at least 2020. A March 2026 Chainalysis report noted that OFAC sanctions tied to IT worker fraud schemes have targeted operations that generated an estimated $800 million in 2024.
What this means for crypto projects hiring remote developers
The latest breach paints a picture of an operation that is simultaneously crude in its opsec, a shared password of “123456” on a server holding millions, and sophisticated in its coordination, with internal leaderboards, structured payment rails, and ongoing hacker training running in parallel. For crypto projects, the message is uncomfortable: identity verification at the hiring stage is no longer optional. These workers have fabricated identities, employment histories, and in some cases, professional networks capable of passing standard due diligence.
Ledger CTO Charles Guillemet captured the broader risk just days after the Drift attack, stating that AI is driving the cost of crypto exploits “down to zero.” The workers exposed in ZachXBT’s latest thread may be lower-tier, but the infrastructure they operate within, and the training they are receiving, suggests that gap is narrowing.
