Counterhacker exposes DPRK unit that made $1M a month working IT jobs

The North Korean IT workers coordinated crypto payments through a server using a shared, easy-to-guess password “123456.”

A group of North Korean IT workers made more than $3.5 million in just a few months by faking their identities to work as developers while also attempting to hack crypto projects, according to documents obtained by a hacker who compromised one of their devices.

The leaked data obtained by the unnamed hacker was shared by blockchain sleuth ZachXBT in a post to X on Wednesday. It revealed that one of the IT workers, “Jerry,” and a team of 140 members were making roughly $1 million a month, amounting to $3.5 million worth of crypto since late November.

The North Korean IT workers coordinated payments on a website called “luckyguys.site” using a shared password, “123456,” ZachXBT said, adding that some of the users on that platform appeared to work for Sobaeksu, Saenal and Songkwang, which are sanctioned by the US Office of Foreign Assets Control.

These crypto payments were converted into fiat and sent to Chinese bank accounts via online payment platforms like Payoneer. Tracing these wallet addresses also revealed links to other known North Korean wallets that were blacklisted by Tether in December, ZachXBT said.

Bad actors from North Korea and other countries continue to threaten the crypto industry with increasingly sophisticated tactics for carrying out hacks and scams. 

North Korean state-backed workers have stolen over $7 billion in funds since 2009, with a large share of that coming from crypto projects. The $1.4 billion hack of crypto exchange Bybit and the $625 million Ronin bridge hack are among its most notable attacks.

North Korean hackers were also blamed for the $280 million hack of the Drift Protocol on April 1. 

The North Korean IT workers who had their data exposed had a leaderboard showing how much crypto each IT worker had brought in for the organization since Dec. 8, with links to blockchain explorer pages showing transaction details.

Another screenshot shared by ZachXBT showed that Jerry used an Astrill virtual private network to access Gmail, where he submitted several applications for full-stack developer and software engineer roles on Indeed.

Related: Alleged Huione money-laundering boss extradited to China

In an unsent email, Jerry wrote a letter for a WordPress content and search engine optimization specialist position at a T-shirt company in Texas, seeking $30 an hour with availability of 15 to 20 hours a week.

Identification documents were falsified, too, with one of the IT workers, “Rascal,” sharing pictures of a billing statement using a fake name and fake address in Hong Kong. 

Rascal also shared a picture of an Irish passport, though it is not clear if it was used.

ZachXBT however said these IT workers were less sophisticated compared to other North Korean groups like AppleJeus and TraderTraitor, which “operate far more efficiently and present the greatest risks to the industry.”

Magazine: Asia Express: Phantom Bitcoin checks, China tracks tax on blockchain

Source: CoinTelegraph