A hacked device uncovered how North Korean developers secretly earned millions in crypto while working across different projects.
A large batch of leaked internal data has revealed that North Korean IT workers generated over $3.5 million in cryptocurrency in recent months through a coordinated operation involving fake developer identities and structured payment systems, according to blockchain investigator ZachXBT.
The information surfaced after an unnamed hacker compromised one of the workers’ devices, exposing records from an internal payment server tied to nearly 390 accounts, along with chat logs, browser data, and falsified identity documents used to secure jobs.
North Korean Crypto Operation
The dataset shows the operation brought in roughly $1 million per month, and individuals used forged credentials to obtain roles across projects while routing their earnings through an internal platform. ZachXBT revealed that communication and payment tracking were handled through a platform known as “luckyguys.site,” which functioned as an internal hub where workers logged transactions and reported income to administrators.
The platform appeared to have minimal security safeguards, and multiple users relied on a default password. User listings included roles, locations, and group identifiers similar to known North Korean IT worker structures, including links to entities sanctioned by the US Treasury’s Office of Foreign Assets Control, such as Sobaeksu, Saenal, and Songkwang.
Meanwhile, chat records indicate that a central administrator account was responsible for confirming incoming transfers and distributing account credentials for various financial services. Payments typically followed a consistent pattern, where funds received in cryptocurrency from exchanges or clients were converted into fiat and transferred through Chinese bank accounts using payment platforms like Payoneer. Blockchain tracing of these flows revealed connections to previously identified North Korean-linked wallets, including addresses later frozen by Tether in late 2025.
Data extracted from the compromised device, associated with a user operating under the name “Jerry,” revealed extensive use of VPN services and multiple fabricated personas for job applications. Internal conversations referenced deepfake-related hiring concerns and restrictions on sharing external information within the network. Additional logs suggested that dozens of workers operated simultaneously within the same communication system.
Beyond income generation, the records also captured discussions related to the potential exploitation of crypto projects. In one instance, “Jerry” discussed targeting a project with another worker using a proxy setup, although there is no confirmation that the attempt was carried out.
You may also like:
Separately, administrators distributed training materials covering reverse engineering and debugging tools such as IDA Pro.
DPRK Developers in DeFi
Just this week, cybersecurity researcher Taylor Monahan said North Korea-linked IT workers have been operating in the crypto sector for years, and even contributed to major DeFi protocols. Monahan explained that many of their resumes reflected real development experience rather than fabricated backgrounds.
Projects such as SushiSwap, Yearn, and THORChain were among those cited. The security expert also added that these actors later played an important role in enabling large-scale exploits.
Additionally, North Korean-affiliated hacking group Lazarus Group has been linked to some of the industry’s highest-profile hacks, such as the $625 million Ronin Bridge exploit in 2022, the $235 million WazirX hack in 2024, and the more recent $1.4 billion Bybit heist in 2025.
Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!
