{"id":2260,"date":"2026-04-10T10:20:55","date_gmt":"2026-04-10T10:20:55","guid":{"rendered":"https:\/\/blog.coinsignals.net\/?p=2260"},"modified":"2026-04-10T10:20:55","modified_gmt":"2026-04-10T10:20:55","slug":"zachxbt-reveals-3-5-million-dollar-crypto-scheme-run-by-north-korean-fake-developers","status":"publish","type":"post","link":"https:\/\/blog.coinsignals.net\/index.php\/2026\/04\/10\/zachxbt-reveals-3-5-million-dollar-crypto-scheme-run-by-north-korean-fake-developers\/","title":{"rendered":"ZachXBT Reveals 3.5 Million Dollar Crypto Scheme Run by North Korean Fake Developers"},"content":{"rendered":"\n
\n
\"\"<\/figure>\n<\/figure>\n\n\n\n

Blockchain investigator ZachXBT has uncovered a large scale operation in which North Korean IT workers secretly earned more than 3.5 million dollars in cryptocurrency by posing as developers across multiple crypto projects.<\/p>\n\n\n\n

The findings came after an unidentified hacker gained access to one of the workers\u2019 devices, exposing a trove of internal data. This included records from a payment server linked to nearly 390 accounts, as well as chat logs, browsing history, and fake identity documents used to secure employment.<\/p>\n\n\n\n

The leaked data suggests the operation was generating close to 1 million dollars per month. Workers reportedly used fabricated credentials to land roles in various projects, while funneling their earnings through a centralized internal system. Communication and payment tracking were managed through a platform called luckyguys.site, which acted as a hub where participants logged transactions and reported their income.<\/p>\n\n\n\n

Security on the platform appeared weak, with several users relying on a default password. User profiles contained details such as roles, locations, and group identifiers that resemble known North Korean IT worker networks, including connections to entities sanctioned by the US Treasury\u2019s Office of Foreign Assets Control, such as Sobaeksu, Saenal, and Songkwang.<\/p>\n\n\n\n

Chat records show that a central administrator account coordinated operations by confirming incoming payments and distributing login credentials for financial services. Funds were typically received in cryptocurrency, converted into fiat currency, and then transferred through Chinese bank accounts using platforms like Payoneer. Blockchain analysis linked some of these transactions to previously identified North Korean associated wallets, including addresses later frozen by Tether in late 2025.<\/p>\n\n\n\n

Data from the compromised device, linked to a user identified as \u201cJerry,\u201d revealed the use of VPN services and multiple fake identities when applying for jobs. Internal messages also mentioned concerns about deepfake detection and strict rules against sharing information outside the network. Logs further indicated that dozens of workers were active within the same communication system.<\/p>\n\n\n\n

Beyond generating income, the records included discussions about potentially exploiting crypto projects. In one case, \u201cJerry\u201d spoke with another worker about targeting a project using a proxy setup, though it remains unclear whether the plan was executed.<\/p>\n\n\n\n

Administrators also shared training materials covering reverse engineering and debugging tools such as IDA Pro, suggesting a structured and organized approach to skill development.<\/p>\n\n\n\n

Separately, cybersecurity researcher Taylor Monahan noted that North Korean linked developers have been active in the crypto space for years and have even contributed to major decentralized finance platforms. According to her, many of these individuals possess genuine technical expertise rather than entirely fabricated backgrounds.<\/p>\n\n\n\n

Projects such as SushiSwap, Yearn, and THORChain were mentioned as examples. She also warned that some of these actors later played roles in enabling major exploits.<\/p>\n\n\n\n

In addition, the North Korean linked hacking group Lazarus Group has been connected to several of the crypto industry\u2019s most significant breaches, including the 625 million dollar Ronin Bridge attack in 2022, the 235 million dollar Wazir hack in 2024, and the 1.4 billion dollar Bybit heist in 2025.#crypto#cryptonews https:\/\/coinsignals.net<\/a> https:\/\/t.me\/coinsignalpublic<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Blockchain investigator ZachXBT has uncovered a large scale operation in which North Korean IT workers secretly earned more than 3.5 million dollars in cryptocurrency by posing...<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2260","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.coinsignals.net\/index.php\/wp-json\/wp\/v2\/posts\/2260","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.coinsignals.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.coinsignals.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.coinsignals.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.coinsignals.net\/index.php\/wp-json\/wp\/v2\/comments?post=2260"}],"version-history":[{"count":1,"href":"https:\/\/blog.coinsignals.net\/index.php\/wp-json\/wp\/v2\/posts\/2260\/revisions"}],"predecessor-version":[{"id":2262,"href":"https:\/\/blog.coinsignals.net\/index.php\/wp-json\/wp\/v2\/posts\/2260\/revisions\/2262"}],"wp:attachment":[{"href":"https:\/\/blog.coinsignals.net\/index.php\/wp-json\/wp\/v2\/media?parent=2260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.coinsignals.net\/index.php\/wp-json\/wp\/v2\/categories?post=2260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.coinsignals.net\/index.php\/wp-json\/wp\/v2\/tags?post=2260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}