ZachXBT Exposes Internal Data of North Korean IT Workers, Reveals $3.5M Transactions

ZachXBT exposed internal data from North Korean IT workers today, detailing a $3.5 million crypto flow since late 2025. According to ZachXBT, the dataset came from a compromised device and includes 390 accounts, chat logs, and transaction records. The findings reveal how workers used fake identities, weak security, and coordinated systems to process roughly $1 million monthly.

ZachXBT Uncovers Internal Payment System

According to ZachXBT in a detailed X thread, an unnamed source provided data extracted from an internal payment server used by North Korean DPRK IT workers. The dataset includes chat logs from IPMsg, account lists, and browser histories tied to fraudulent operations. Users discussed a platform called luckyguys[.]site, described as a remittance hub.

The system functioned as both a messaging tool and a reporting channel. Workers submitted earnings and received instructions through this platform. However, weak security exposed the system, as several accounts used the default password “123456” without changes.

User records listed Korean names, cities, and coded group identifiers. Additionally, three entities; Sobaeksu, Saenal, and Songkwang, appeared in the data. These companies are currently under OFAC sanctions, linking the network to previously identified operations.

Transaction Patterns Reveal $3.5M Flow

Transaction logs show a consistent movement of funds across the network. According to ZachXBT, users transferred crypto from exchanges or services before converting it into fiat. In many cases, workers used Chinese bank accounts and platforms like Payoneer for off-ramping.

An administrative account identified as PC-1234 confirmed payments and distributed account credentials. These credentials varied between crypto exchanges and fintech platforms depending on user needs. Since November 2025, tracked wallet addresses have processed over $3.5 million.

Blockchain tracing linked several payment addresses to known DPRK. One Tron wallet was frozen by Tether in December 2025. This action indicates limited intervention by industry participants as per ZachXBT.

Fake Identities, Training, and Coordination

The dataset also outlines how workers secured remote jobs using fabricated identities. According to ZachXBT, compromised device data revealed fake personas, job applications, and browser activity. 

Workers relied on tools like Astrill VPN to mask locations during these operations. This new investigation comes after ZachXBT called out Circle over $285M Drift Protocol exploit delay. In the new report, internal chats showed coordination across multiple platforms. 

In one instance, 33 workers communicated through IPMsg on the same network. Additionally, Slack discussions referenced a blog about deepfake job applicants. Meanwhile, some conversations suggested planned theft attempts. 

One user discussed targeting a GalaChain project called Arcano through a Nigerian proxy. However, the data does not confirm whether the attack occurred. Training materials circulated widely within the group. 

The admin shared 43 modules covering reverse engineering topics, including Hex-Rays and IDA Pro. These sessions focused on disassembly, debugging, and malware analysis, indicating ongoing technical development within the network.