Key Highlights
- Renowned blockchain sleuth ZachXBT uncovered a sophisticated scheme involving 140 North Korean operatives generating approximately $1M monthly in cryptocurrency
- The operation accumulated more than $3.5M since the end of November 2024 by deploying fraudulent identities to secure remote development positions
- A payment portal dubbed “luckyguys.site” was protected with the notoriously weak password “123456”
- Cryptocurrency proceeds were laundered through Chinese banking institutions and services including Payoneer
- Digital wallets associated with the operation had ties to OFAC-sanctioned organizations and faced freezing by Tether
This week, blockchain sleuth ZachXBT unveiled confidential information obtained from a compromised computing device owned by a North Korean IT operative, exposing an organized cryptocurrency fraud scheme that accumulated more than $3.5 million within mere months.
An anonymous cybersecurity specialist who infiltrated one of the operatives’ systems provided the information. ZachXBT disseminated his discoveries on X, illustrating how approximately 140 operatives, managed by an individual known as “Jerry,” generated roughly $1 million monthly in digital currency starting from late November 2024.
1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.
I spent long hours going through all of it, none of which has ever been publicly released.
It revealed an intricate… pic.twitter.com/aTybOrwMHq
— ZachXBT (@zachxbt) April 8, 2026
The operatives deployed counterfeit identities to pursue remote technology positions on job boards such as Indeed. A captured screenshot revealed Jerry submitting applications for full-stack development and software engineering positions while utilizing an Astrill VPN to conceal his geographical location.
In an unsent correspondence, Jerry pursued a WordPress and SEO specialist role at a Texan t-shirt manufacturer, requesting compensation of $30 per hour for 15 to 20 weekly hours.
A separate operative identified as “Rascal” employed a fabricated identity and Hong Kong mailing address on financial documentation. The compromised files also contained an image of an Irish passport attributed to Rascal, though its actual deployment remains uncertain.
Payment Infrastructure and Operations
The network managed financial transactions via a website designated “luckyguys.site.” Numerous user accounts on this platform employed the elementary password “123456,” demonstrating inadequate operational security measures.
This platform served dual purposes as both a communication channel and reporting center. Operatives documented their earnings and obtained directives through this system. An administrative profile designated PC-1234 validated transactions and allocated access credentials for cryptocurrency trading platforms and financial technology services.
Three organizations identified in the intelligence — Sobaeksu, Saenal, and Songkwang — currently appear on the US Office of Foreign Assets Control sanctions registry.
Cryptocurrency proceeds underwent conversion to traditional currency utilizing Chinese financial institutions and platforms like Payoneer. A Tron blockchain wallet linked to the operation received a freeze order from Tether during December 2024.
Cybercrime Preparations and Educational Resources
The compromised intelligence additionally revealed that certain operatives were preparing unauthorized access attempts. One conversation mentioned a potential attack on Arcano, a project hosted on GalaChain, to be executed through a Nigerian intermediary, although confirmation of this attack’s execution remains unavailable.
An administrator circulated 43 educational modules addressing reverse engineering applications including Hex-Rays and IDA Pro, concentrating on disassembly techniques, debugging procedures, and malicious software examination.
The intelligence package contained 390 user profiles, conversation records, and internet browsing activity. In one notable discovery, 33 operatives were identified exchanging messages through IPMsg on an identical network infrastructure.
ZachXBT observed this collective demonstrated lower technical sophistication compared to alternative North Korean cybercrime organizations such as AppleJeus and TraderTraitor.
North Korean state-sponsored threat actors have misappropriated over $7 billion cumulatively since 2009. This particular collective was additionally connected to the $280 million security breach of Drift Protocol occurring on April 1, 2025.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
