Renowned blockchain investigator ZachXBT has recently revealed that a network of North Korea-linked IT workers is generating roughly $1 million in monthly revenue through cryptocurrency payments and fraudulent hiring schemes.
A detailed investigation published on X (formerly Twitter) shows that these findings stem from a data leak from an internal payment server, which is linked to as many as 390 accounts.
The data dump also contains previously undisclosed chat logs, wallet activity, and identity records. The investigation indicates that the group has amassed more than $3.5 million since last November.
Fake Identities and Cross-Border Fund Flows
The network operates using forged personas, fake documentation, and coordinated payment processes. At its core is an internal remittance platform functioning similarly to an instant messaging service. IT workers use this tool to report earnings and receive payment instructions from a central administrator account.
Funds typically move through cryptocurrency exchanges before being converted into fiat currency via Chinese bank accounts or platforms such as Payoneer. ZachXBT has linked several payment addresses to known clusters of North Korean IT worker activity, including one Tron address that was frozen by Tether last December.
The investigation also uncovered operational details, such as the use of VPNs to mask geographic locations and the use of fake identities to submit job applications. Leaked device records even revealed discussions regarding a potential attack on a crypto gaming project, though it remains unclear whether the attack was ever carried out.
While the group's sophistication appears lower than that of notorious North Korean hacking groups like Lazarus, its revenue scale is consistent with previous estimates that North Korean IT programs generate seven-figure monthly revenues.
Recently, crypto-related activity linked to North Korea has been on the rise. The Solana-based project Stabble recently urged liquidity providers to withdraw funds after discovering former North Korean employees, and Drift protocol attributed a $280 million exploit to social engineering attacks suspected to be launched by North Korean actors.
