Leaked data from a compromised device reveals that North Korean IT workers generated over $3.5 million in cryptocurrency through a coordinated operation. The workers used fake identities to secure roles and managed earnings via an internal platform, according to blockchain investigator ZachXBT.
Internal payment server data exposed by a hacker shows North Korean IT workers earned roughly $1 million per month. The operation involved nearly 390 accounts using forged credentials across various projects.
Communication and payments were tracked through an internal hub known as “luckyguys.site.” User listings identified roles and locations linked to sanctioned entities such as Sobaeksu, Saenal, and Songkwang.
An administrator confirmed incoming transfers and distributed financial service credentials. Earnings were converted to fiat and moved through Chinese bank accounts using platforms like Payoneer.
Blockchain tracing connected these flows to North Korean-linked wallets later frozen by Tether. Data from a user named “Jerry” revealed extensive VPN use and fabricated personas for job applications.
Internal logs captured discussions about exploiting crypto projects. Separately, administrators distributed training materials covering tools like IDA Pro.
Cybersecurity researcher Taylor Monahan stated North Korea-linked workers have operated in crypto for years. Monahan explained their resumes reflected real development experience on major DeFi protocols.
Projects such as SushiSwap, Yearn, and THORChain were among those cited. These actors later enabled large-scale exploits, according to the security expert.
The North Korean-affiliated Lazarus Group has been linked to major hacks. These include the $625 million Ronin Bridge exploit in 2022 and the $1.4 billion Bybit heist in 2025.
