A small group of North Korean IT operatives, tied to a $680,000 crypto hack in June, has been using Google tools and even renting computers to infiltrate cryptocurrency projects, according to screenshots from one of their devices.
On Wednesday, blockchain investigator ZachXBT shared the images, offering a rare glimpse into the activities of a DPRK-linked hacker. The intel came from “an unnamed source” who managed to compromise one of the worker’s devices.
The same network of operatives was behind the $1.4 billion theft from crypto exchange Bitbit in February and has stolen millions more from various blockchain protocols over the years.
Your completely free resource hub designed to boost your knowledge of cryptocurrencies
Evidence shows the six-person team operates under at least 31 fake identities, complete with forged government IDs, phone numbers, and purchased LinkedIn and UpWork accounts. These false profiles help them secure crypto-related jobs.
One member reportedly interviewed for a full-stack engineer role at Polygon Labs, while other files revealed scripted interview answers claiming past experience at NFT marketplace OpenSea and blockchain oracle provider Chainlink.
North Korea Operatives Use AnyDesk and VPNs to Evade Detection
Leaked documents reveal that the North Korean IT workers landed roles such as “blockchain developer” and “smart contract engineer” on freelance sites like Upwork, then used remote access tools like AnyDesk to perform the work without their employers knowing. They also masked their real locations by using VPNs.
Data from Google Drive exports and Chrome profiles shows they relied heavily on Google tools to organize schedules, manage tasks, and track budgets, communicating in English with the help of Google’s Korean-to-English translation service.
One spreadsheet indicated the group spent a total of $1,489.80 in May on expenses to support their operations.
North Korea Hackers Probe Blockchain and AI Sectors
The North Koreans frequently use Payoneer to convert fiat into crypto, and one of their wallet addresses ,“0x78e1a”, is “closely tied” to the $680,000 hack of the fan-token marketplace Favrr in June 2025, according to ZachXBT.
At the time, ZachXBT alleged that the project’s chief technology officer, known as “Alex Hong,” and several other developers were actually DPRK operatives posing as legitimate workers.
Leaked data also shed light on their interests. In one search, they asked if ERC-20 tokens could be deployed on Solana; in another, they looked up the top AI development companies in Europe.
ZachXBT urged crypto and tech companies to strengthen vetting processes for potential hires, warning that while many DPRK-led schemes aren’t particularly sophisticated, the sheer volume of job applications can cause hiring teams to overlook red flags.
The company also pointed to a lack of cooperation between tech firms and freelance platforms as a key weakness.
In July, the U.S. Treasury sanctioned two individuals and four entities tied to a North Korean IT worker network accused of infiltrating crypto companies.
