Prominent blockchain investigator ZachXBT has released a detailed forensic report exposing a global cryptocurrency payment network operated by North Korean IT workers. The investigation, based on internal server data recovered from a device belonging to a North Korean operative, provides a granular look at how the group utilizes fake identities and multi-layered fiat conversion channels to launder funds.
According to ZachXBT, the illicit network has processed more than $3.5 million in cryptocurrency inflows since late November 2025, averaging roughly $1 million in transfers per month. The leaked dataset includes 390 user accounts, extensive chat logs, and a complete ledger of cryptocurrency transactions.
The mechanics of the 'Luckyguys.site' hub
At the heart of the investigation is a custom-built communication platform dubbed 'luckyguys.site.' Designed to mimic Discord, the platform served as a dedicated hub for North Korean IT workers stationed abroad to report to their superiors and confirm the status of remittances. Surprisingly, the server’s security was remarkably lax, with at least 10 user accounts using '123456' as their default login password.
Leaked records reveal that user profiles contained specific Korean names, city locations, assigned roles, and internal group codes—details that align perfectly with the known structure of North Korean overseas IT operations. The flow of funds was centrally managed by an administrator account labeled 'PC-1234,' which was responsible for issuing temporary login credentials for various cryptocurrency exchanges and fintech platforms to different users.
The investigation further confirmed the network's illicit ties. Three entities identified in the records—Sobaeksu, Saenal, and Songkwang—have already been designated for sanctions by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). This data breach not only exposes the methods North Korea uses to leverage crypto assets to bypass sanctions but also highlights critical security lapses in their overseas operations. By analyzing the chat logs and transaction paths, ZachXBT has provided a vital chain of evidence for tracking such illicit financial activities.