Inside North Korean Crypto Machine: ZachXBT's Latest Investigation

Blockchain investigator ZachXBT has published one of his most detailed reports yet, and it pulls back the curtain on how North Korean IT workers are draining the crypto industry of millions every month.

An unnamed source handed ZachXBT data exfiltrated from an internal North Korean payment server. The dataset contained 390 accounts, private chat logs, and crypto transaction records spanning December 2025 through April 2026. None of it had ever been made public. What ZachXBT found inside was a fully operational, organised scheme generating approximately $1 million per month through fraudulent identities, forged legal documents, and an airtight crypto-to-fiat conversion network.

At the centre of the operation was a site called luckyguys[.]site — an internal remittance platform used by DPRK IT workers to report payments back to their handlers. Think of it as a private messenger built specifically for funnelling money. The platform's default password was 123456. Ten users had never changed it. The user list included real Korean names, city locations, coded group names, and assigned roles. Three of the companies that appeared in the data are currently sanctioned by OFAC: Sobaeksu, Saenal, and Songkwang.

Since late November 2025, more than $3.5 million passed through the payment wallet addresses tied to this network. The method was consistent across users. Workers would receive crypto from an exchange or service, or convert earnings to fiat through Chinese bank accounts via platforms like Payoneer. A central admin account identified only as PC-1234 would confirm receipt and distribute credentials for whichever exchange or fintech platform was being used that cycle. One Tron payment address was frozen by Tether in December 2025 — which means someone already knew this was happening. It did not stop the network.

One worker, referred to as "Jerry," was caught applying for remote jobs under fake personas while connected through Astrill VPN. Internal messages showed workers discussing a news article about a DPRK IT worker caught using deepfake technology during a job interview, nervously wondering aloud if it was one of them. Thirty-three workers were found communicating on the same network. This was not a small isolated cell. It was a workforce, with structure, discipline, and a very clear chain of command.

Between November 2025 and February 2026, the network's admin distributed 43 training modules focused on Hex-Rays and IDA Pro — professional tools used for reverse engineering and binary analysis. The materials covered disassembly, decompilation, debugging, and unpacking hostile executables. These are not the tools of a basic scam operation. They are the tools of people preparing to do serious damage.

ZachXBT is careful to note that this cluster sits below the more dangerous North Korean threat groups like AppleJeus and TraderTraitor, which are responsible for some of the largest crypto heists on record. This group is lower on the ladder. But lower does not mean harmless. ZachXBT has previously estimated that DPRK IT workers collectively generate multiple seven figures per month across the industry, and this investigation supports that number with receipts. The internal payment site went dark shortly after ZachXBT published. All data had already been archived.

The Industry Responds

ZachXBT's report did not drop in silence. It landed in the middle of a week where the industry was already grappling with the scale of North Korea's presence inside crypto teams. Days before the report, MetaMask security researcher Taylor Monahan claimed that more than 40 DeFi platforms had unknowingly employed state-sponsored North Korean developers, some going as far back as DeFi summer in 2020. "Lots of DPRK IT workers built the protocols you know and love," she wrote on X, adding that many of these workers had genuine blockchain experience, which made them exceptionally difficult to identify.

ZachXBT himself, when asked about the sophistication of these tactics, was direct. "Threats via job postings, LinkedIn, email, Zoom, or interviews are basic and in no way sophisticated," he said. "The only thing about it is they're relentless."

The broader community reaction was mixed. Many pointed to hiring negligence among teams that become defensive when alerted to potential security threats. Others pointed to the numbers: in 2025, DPRK-linked groups stole at least $2.02 billion in cryptocurrency — 60% of global theft that year — including a $1.5 billion Bybit hack. This latest investigation is not an isolated incident. It is one visible piece of a much larger operation.

What this investigation makes plain is that North Korea's crypto operation is not a collection of rogue freelancers. It is a structured, hierarchical enterprise with handlers, admins, trained workers, and a payment infrastructure that has been running for months without interruption. For any crypto project, exchange, or DAO that hires remote contributors, this is not a distant problem. These workers are applying for jobs right now, with polished portfolios and faces that may not be their own. Verification has never mattered more.

The blockchain is transparent. These networks are counting on the industry not paying attention.