Articles
Crypto Market Analysis

Counterhacker exposes DPRK unit that made $1M a month working IT jobs

User Image

Por Anônimo

Criado April 09, 2026|2 mins de leitura
Main Image

The North Korean IT workers coordinated crypto payments through a server using a shared, easy-to-guess password “123456.”

A group of North Korean IT workers made more than $3.5 million in just a few months by faking their identities to work as developers while also attempting to hack crypto projects, according to documents obtained by a hacker who compromised one of their devices.

The leaked data obtained by the unnamed hacker was shared by blockchain sleuth ZachXBT in a post to X on Wednesday. It revealed that one of the IT workers, “Jerry,” and a team of 140 members were making roughly $1 million a month, amounting to $3.5 million worth of crypto since late November.

The North Korean IT workers coordinated payments on a website called “luckyguys.site” using a shared password, “123456,” ZachXBT said, adding that some of the users on that platform appeared to work for Sobaeksu, Saenal and Songkwang, which are sanctioned by the US Office of Foreign Assets Control.

These crypto payments were converted into fiat and sent to Chinese bank accounts via online payment platforms like Payoneer. Tracing these wallet addresses also revealed links to other known North Korean wallets that were blacklisted by Tether in December, ZachXBT said.

Bad actors from North Korea and other countries continue to threaten the crypto industry with increasingly sophisticated tactics for carrying out hacks and scams. 

North Korean state-backed workers have stolen over $7 billion in funds since 2009, with a large share of that coming from crypto projects. The $1.4 billion hack of crypto exchange Bybit and the $625 million Ronin bridge hack are among its most notable attacks.

North Korean hackers were also blamed for the $280 million hack of the Drift Protocol on April 1. 

The North Korean IT workers who had their data exposed had a leaderboard showing how much crypto each IT worker had brought in for the organization since Dec. 8, with links to blockchain explorer pages showing transaction details.

Another screenshot shared by ZachXBT showed that Jerry used an Astrill virtual private network to access Gmail, where he submitted several applications for full-stack developer and software engineer roles on Indeed.

Related: Alleged Huione money-laundering boss extradited to China

In an unsent email, Jerry wrote a letter for a WordPress content and search engine optimization specialist position at a T-shirt company in Texas, seeking $30 an hour with availability of 15 to 20 hours a week.

Identification documents were falsified, too, with one of the IT workers, “Rascal,” sharing pictures of a billing statement using a fake name and fake address in Hong Kong. 

Rascal also shared a picture of an Irish passport, though it is not clear if it was used.

ZachXBT however said these IT workers were less sophisticated compared to other North Korean groups like AppleJeus and TraderTraitor, which “operate far more efficiently and present the greatest risks to the industry.”

Magazine: Asia Express: Phantom Bitcoin checks, China tracks tax on blockchain

Source: CoinTelegraph


Outros artigos publicados recentemente

Bitcoin’s BIP 110 fork deadline nears with miner support at zero
Bitcoin’s BIP 110 fork deadline nears with miner support at zero

Bitcoin

The BIP 110 proposal would cap arbitrary data on Bitcoin for a year, but Saylor, Adam Back and other...

Empery Digital shares rise after selling Bitcoin to fund AI data center project
Empery Digital shares rise after selling Bitcoin to fund AI data center project

Bitcoin

The sales come months after a major Empery shareholder demanded the firm ditch its Bitcoin treasury ...

Bitcoin bulls Michael Saylor, Adam Back slam BIP-110 Ordinals proposal
Bitcoin bulls Michael Saylor, Adam Back slam BIP-110 Ordinals proposal

Bitcoin

The ongoing debate comes despite a broad downturn in Ordinals transaction activity over the last two...

Lending protocol Bonzo loses 77% of value locked as $9 million oracle exploit rattles Hedera
Lending protocol Bonzo loses 77% of value locked as $9 million oracle exploit rattles Hedera

Crypto Market Analysis

Bonzo Lend lost approximately $9.05 million after an attacker exploited a verification flaw in a thi...

AI found an Ethereum bug that could take validators offline, but humans had to prove it
AI found an Ethereum bug that could take validators offline, but humans had to prove it

Ethereum

The Ethereum Foundation pointed coordinated AI agents at the software its validators run and got a r...

Bitcoin treasury company Empery Digital sold about half of its BTC stack
Bitcoin treasury company Empery Digital sold about half of its BTC stack

Bitcoin

It's a sign of the times as the troubled company swaps its bitcoin treasury ambitions for AI data ce...