A new investigation by blockchain analyst ZachXBT reveals a North Korea linked IT worker network generating nearly $1 million per month through crypto based payment flows and fraudulent employment schemes.
Key Takeaways
- Over $3.5 million in crypto payments traced to a DPRK linked IT worker network since late November 2025.
- Roughly $1 million per month flowing through crypto to fiat conversion channels.
- Leaked internal server data exposed 390 accounts, chat logs, and transaction records.
- Sanctioned entities and frozen wallets tied to the operation highlight ongoing enforcement pressure.
What Happened?
Blockchain investigator ZachXBT published findings from a large dataset extracted from an internal DPRK payment server. The data revealed a coordinated network of IT workers using fake identities and crypto payments to generate millions in revenue.
The investigation showed how funds were routed through cryptocurrency wallets and later converted into fiat through Chinese bank accounts and platforms like Payoneer, pointing to a structured and ongoing financial pipeline.
1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.
— ZachXBT (@zachxbt) April 8, 2026
I spent long hours going through all of it, none of which has ever been publicly released.
It revealed an intricate… pic.twitter.com/aTybOrwMHq
Inside the DPRK Payment Network
The investigation centers around an internal platform known as WebMsg, also linked to the domain luckyguys.site. This system functioned like a messaging and payment coordination tool where workers reported earnings and received instructions from a central administrator account identified as PC-1234.
According to the leaked data, the network included:
- Around 390 user accounts with detailed identity records.
- Internal chat logs showing communication between dozens of workers.
- Wallet activity and transaction histories tied to crypto flows.
- Organizational structures mapping payments across groups.
At least 33 workers were actively communicating within the same messaging system, highlighting a coordinated structure rather than isolated actors.
Weak Security and Operational Gaps
Despite handling millions in crypto, the operation showed surprisingly weak security practices. Several users reportedly kept the default password set to “123456,” exposing critical vulnerabilities within the system.
The data was obtained after an infostealer malware compromised a DPRK worker’s device. An anonymous source later shared the files with ZachXBT, who confirmed the dataset had not been previously made public.
The platform went offline shortly after the findings were published, though the full dataset had already been archived.
Fake Identities and Global Payment Flows
The network relied heavily on forged documents and fake personas to secure remote employment opportunities. Workers used VPN services to hide their locations while applying for jobs across global platforms.
Once payments were received, the funds followed a consistent path:
- Crypto payments collected from employers or platforms.
- Transfers routed through blockchain wallets.
- Conversion into fiat currency via exchanges or Payoneer.
- Deposits into Chinese bank accounts.
Some internal messages even referenced Hong Kong addresses, although their authenticity remains unverified.
Links to Sanctioned Entities and Blockchain Traces
The leaked records included references to three entities sanctioned by the U.S. Treasury’s Office of Foreign Assets Control, namely Sobaeksu, Saenal, and Songkwang.
Onchain analysis further connected wallet addresses used in the operation to known DPRK IT worker clusters. One Tron wallet linked to the network was frozen by Tether in December 2025, indicating prior detection by authorities.
Broader Cyber Activity and Emerging Risks
While this network appeared less advanced than high profile DPRK groups such as Lazarus, Applejeus, or TraderTraitor, its scale remains significant. The operation aligns with previous estimates suggesting that North Korean IT worker schemes generate multiple seven figure revenues each month.
Internal logs also revealed potential targeting of crypto projects, including discussions about exploiting a blockchain based game using proxy setups. It remains unclear whether these plans were carried out.
Recent developments across the crypto sector further highlight the threat:
- A Solana based project warned users after identifying a former DPRK linked employee.
- Another protocol tied a major exploit to long running social engineering activity.
- U.S. authorities have sanctioned facilitators connected to an $800 million crypto linked scheme.
CoinLaw’s Takeaway
In my experience, this investigation clearly shows how simple methods can still generate massive results in crypto crime. What stands out to me is not just the scale, but how basic some of the tactics were.
I found it surprising that a network moving millions relied on weak passwords and standard tools. This tells me the real advantage comes from coordination and persistence rather than technical brilliance.
For readers and builders in crypto, this is a reminder that security gaps at any level can be exploited, and even low sophistication actors can create serious financial impact when systems are not carefully monitored.
