North Korean Crypto Scheme Exposed: $3.5M Stolen Through Fake Developer Identities

Key Highlights

• On-chain detective ZachXBT uncovered a sophisticated operation involving 140 North Korean IT professionals generating approximately $1 million monthly in cryptocurrency
• The network accumulated more than $3.5 million since late November 2024 through fraudulent identities used to secure remote development positions
• Operators utilized a payment portal dubbed “luckyguys.site” protected by the elementary password “123456”
• Cryptocurrency proceeds were liquidated through Chinese banking channels and services including Payoneer
• Digital wallet addresses associated with the operation were traced to OFAC-sanctioned organizations and subsequently frozen by Tether

Renowned blockchain detective ZachXBT released confidential information this week obtained from a hacked device owned by a North Korean IT operative, exposing an organized cryptocurrency fraud scheme that amassed more than $3.5 million within several months.

The intelligence was provided by an anonymous security researcher who successfully infiltrated one of the operatives’ computers. ZachXBT shared his analysis on X, explaining how approximately 140 workers, supervised by an individual using the alias “Jerry,” were generating roughly $1 million monthly in cryptocurrency starting in late November 2024.

The operatives employed fabricated identities to secure remote technology positions on job boards such as Indeed. Evidence revealed Jerry submitting applications for full-stack development and software engineering opportunities while utilizing Astrill VPN to conceal geographical location.

In a draft correspondence discovered in the breach, Jerry pursued a WordPress and SEO specialist role at a t-shirt manufacturing company based in Texas, requesting compensation of $30 hourly for 15 to 20 weekly hours.

A second operative identified as “Rascal” utilized falsified credentials and a Hong Kong mailing address on financial documents. The leaked materials also contained imagery of an Irish passport attributed to Rascal, though its actual deployment remains unverified.

The Payment Infrastructure Explained

The collective managed financial transactions through a dedicated website identified as “luckyguys.site.” Numerous user accounts on this platform employed the rudimentary default password “123456,” demonstrating significant operational security vulnerabilities.

The platform served dual purposes as both a communication channel and reporting system. Operatives logged their revenue and received directives through the interface. An administrative account designated PC-1234 validated transactions and disseminated access credentials for cryptocurrency exchanges and financial technology platforms.

Three organizations referenced in the compromised data — Sobaeksu, Saenal, and Songkwang — currently face sanctions from the US Office of Foreign Assets Control.

Digital currency was exchanged for traditional currency utilizing Chinese financial institutions and platforms such as Payoneer. A Tron-based wallet linked to the network was immobilized by Tether in December 2024.

Evidence of Malicious Activities and Educational Content

The compromised information additionally revealed that certain operatives were developing theft strategies. Communications referenced plans to compromise a blockchain initiative called Arcano on GalaChain using a Nigerian intermediary, though confirmation of execution remains absent from the available data.

Administrative personnel circulated 43 educational modules addressing reverse engineering utilities including Hex-Rays and IDA Pro, emphasizing disassembly techniques, debugging procedures, and malware examination.

The complete dataset encompassed 390 user accounts, communication records, and browsing activity. Investigators discovered 33 operatives exchanging messages through IPMsg within a single network environment.

ZachXBT observed this collective demonstrated lower technical proficiency compared to alternative North Korean cybercrime units such as AppleJeus and TraderTraitor.

North Korean state-sponsored threat actors have appropriated exceeding $7 billion cumulatively since 2009. This particular group was additionally connected to the $280 million security breach of Drift Protocol occurring on April 1, 2025.

The post North Korean Crypto Scheme Exposed: $3.5M Stolen Through Fake Developer Identities appeared first on Blockonomi.