Key Takeaways
- A network of approximately 140 North Korean IT operatives generated roughly $1M monthly in cryptocurrency
- The operation accumulated more than $3.5M since November 2024 through fraudulent remote developer positions
- A payment coordination website called “luckyguys.site” was protected with the elementary password “123456”
- Cryptocurrency proceeds were laundered into traditional currency through Chinese banking channels and services like Payoneer
- Digital wallet addresses associated with the operation were tied to OFAC-sanctioned organizations and frozen by Tether
Renowned blockchain sleuth ZachXBT released confidential information this week obtained from a hacked device owned by a North Korean IT operative, uncovering an elaborate cryptocurrency fraud scheme that netted more than $3.5 million within months.
An anonymous cybersecurity researcher who infiltrated one of the workers’ computers provided the intelligence. ZachXBT shared his analysis on X, describing how approximately 140 operatives, supervised by an individual using the alias “Jerry,” generated around $1 million monthly in digital assets beginning in late November 2024.
1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.
I spent long hours going through all of it, none of which has ever been publicly released.
It revealed an intricate… pic.twitter.com/aTybOrwMHq
— ZachXBT (@zachxbt) April 8, 2026
The operatives deployed fabricated personas to secure remote technology positions on job boards such as Indeed. Documentation revealed Jerry pursuing full-stack development and software engineering opportunities while utilizing an Astrill VPN connection to conceal his geographic location.
One draft email showed Jerry seeking a WordPress and SEO specialist role at a t-shirt retailer based in Texas, requesting compensation of $30 hourly for 15 to 20 weekly hours.
A second operative identified as “Rascal” employed falsified credentials and a Hong Kong mailing address on financial documents. The compromised files also contained an image of an Irish passport associated with Rascal, though its actual usage remains uncertain.
The Payment Infrastructure Breakdown
The collective managed financial transactions via a website designated “luckyguys.site.” Numerous user accounts on this platform relied on the basic password “123456,” demonstrating remarkably weak operational security measures.
This platform served dual purposes as a communication channel and earnings tracker. Operatives logged their compensation and received directives through the interface. An administrator profile identified as PC-1234 authorized transfers and allocated login credentials for cryptocurrency exchanges and financial technology platforms.
Three organizations referenced in the intelligence—Sobaeksu, Saenal, and Songkwang—currently face sanctions from the US Office of Foreign Assets Control.
Digital currency profits were liquidated into conventional money using Chinese financial institutions and platforms including Payoneer. Tether froze one Tron wallet connected to the network in December 2024.
Evidence of Cyber Attack Planning and Educational Resources
The compromised information additionally revealed that certain operatives were developing theft strategies. One conversation mentioned targeting the Arcano project on GalaChain using a Nigerian intermediary, though confirmation of execution remains unavailable.
An administrator circulated 43 instructional modules addressing reverse engineering utilities including Hex-Rays and IDA Pro, emphasizing disassembly techniques, debugging procedures, and malware examination.
The intelligence cache contained 390 user profiles, conversation records, and browsing activity. One discovery identified 33 operatives exchanging messages via IPMsg on an identical network infrastructure.
ZachXBT observed this collective demonstrated lower technical proficiency compared to other North Korean cybercrime divisions such as AppleJeus and TraderTraitor.
State-sponsored North Korean threat actors have collectively stolen exceeding $7 billion since 2009. This particular group was additionally connected to the $280 million compromise of Drift Protocol occurring on April 1, 2025.
