Key Takeaways
- On-chain detective ZachXBT uncovered a scheme involving 140 North Korean IT operatives generating approximately $1M monthly in cryptocurrency
- The operation accumulated more than $3.5M since late November 2024 through fraudulent identity schemes targeting remote tech positions
- A payment platform dubbed “luckyguys.site” was protected with the elementary password “123456”
- Cryptocurrency proceeds were liquidated through Chinese banking channels and services including Payoneer
- Digital wallet addresses associated with the operation had ties to OFAC-sanctioned organizations and faced Tether blacklisting
This week, blockchain detective ZachXBT unveiled confidential information obtained from a compromised device owned by a North Korean IT operative, exposing an organized cryptocurrency fraud scheme that accumulated more than $3.5 million within mere months.
An anonymous hacker who had infiltrated one of the operatives’ devices provided the information. ZachXBT released his discoveries on X, explaining how approximately 140 operatives, coordinated by an individual called “Jerry,” were generating roughly $1 million monthly in cryptocurrency starting in late November 2024.
1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.
I spent long hours going through all of it, none of which has ever been publicly released.
It revealed an intricate… pic.twitter.com/aTybOrwMHq
— ZachXBT (@zachxbt) April 8, 2026
The operatives employed fraudulent personas to secure remote technology positions through job boards such as Indeed. Evidence revealed Jerry seeking full-stack development and software engineering opportunities while utilizing an Astrill VPN to conceal his geographical location.
A draft email showed Jerry pursuing a WordPress and SEO specialist role at a t-shirt business in Texas, requesting $30 hourly compensation for 15 to 20 weekly hours.
A separate operative identified as “Rascal” employed a fabricated identity and Hong Kong mailing address on financial documentation. The compromised files also contained imagery of an Irish passport associated with Rascal, though its actual deployment remains uncertain.
Payment Infrastructure Operations
The collective managed financial transactions via a website named “luckyguys.site.” Numerous accounts on this platform employed the basic password “123456,” demonstrating inadequate operational security measures.
This website operated as both a communication channel and tracking dashboard. Operatives logged their income and obtained directives through the system. An administrator account designated PC-1234 authorized transactions and allocated login credentials for cryptocurrency trading platforms and financial technology services.
Three organizations mentioned in the compromised data — Sobaeksu, Saenal, and Songkwang — face active sanctions from the US Office of Foreign Assets Control.
Cryptocurrency holdings were liquidated into traditional currency utilizing Chinese financial institutions and platforms such as Payoneer. A Tron-based wallet linked to the operation received a freeze order from Tether during December 2024.
Attack Strategies and Educational Resources
The compromised information additionally revealed that certain operatives were organizing theft operations. Communications referenced plans to compromise a project named Arcano on GalaChain using a Nigerian intermediary, although confirmation of execution remains unavailable.
An administrator circulated 43 educational modules addressing reverse engineering utilities such as Hex-Rays and IDA Pro, emphasizing disassembly techniques, debugging procedures, and malicious software examination.
The compromised material encompassed 390 user accounts, communication records, and browsing activity. One discovery identified 33 operatives exchanging messages via IPMsg within a shared network environment.
ZachXBT observed this collective demonstrated less technical proficiency compared to additional North Korean operations including AppleJeus and TraderTraitor.
State-affiliated North Korean entities have misappropriated exceeding $7 billion cumulatively since 2009. This collective also maintains connections to the $280 million compromise of Drift Protocol occurring on April 1, 2025.
