ZachXBT Exposes North Korean IT Worker Network Data Revealing $3.5 Million Crypto Flow

Blockchain investigator ZachXBT published on April 8, 2026 a detailed analysis of internal data exfiltrated from a North Korean payment server, revealing a scheme processing approximately $1 million per month in cryptocurrency through fake identities, forged legal documents, and coordinated crypto‑to‑fiat conversion systems.

The dataset includes 390 accounts, chat logs, and transaction records from late 2025 through early 2026, with tracked wallet addresses processing over $3.5 million, and links to three entities currently sanctioned by the U.S. Office of Foreign Assets Control (OFAC).

Internal Payment Server Data Reveals Coordinated Network

An unnamed source provided data extracted from an internal payment server used by North Korean (DPRK) IT workers. The dataset includes chat logs from IPMsg, account lists, browser histories, and transaction records. Users discussed a platform called luckyguys[.]site, described as a remittance hub that functioned as both a messaging tool and a reporting channel. Workers submitted earnings and received instructions through this platform.

Weak security exposed the system: several accounts used the default password “123456” without changes. User records listed Korean names, cities, and coded group identifiers. Three entities—Sobaeksu, Saenal, and Songkwang—appeared in the data and are currently under OFAC sanctions, linking the network to previously identified operations.

An administrative account identified as PC-1234 confirmed payments and distributed account credentials, which varied between crypto exchanges and fintech platforms depending on user needs.

Transaction Patterns Show Consistent $3.5 Million Flow

Since late November 2025, tracked wallet addresses have processed over $3.5 million. The remittance pattern was consistent: users transferred crypto from exchanges or services, then converted it to fiat via Chinese bank accounts or platforms like Payoneer. PC-1234 confirmed receipt and provided account credentials.

Blockchain tracing linked several payment addresses to known DPRK clusters. One Tron payment address was frozen by Tether in December 2025. ZachXBT mapped the complete organizational structure of the network, including payment totals per user and group, based on scraped transaction data from December 2025 through February 2026.

Fake Identities, Training, and Coordination

Compromised device data revealed fake personas, job applications, and browser activity. Workers relied on tools like Astrill VPN to mask locations. Internal Slack discussions referenced a blog post about a deepfake job applicant. One screenshot showed 33 DPRK IT workers communicating on the same network via IPMsg.

One worker actively discussed stealing from a project called Arcano (a GalaChain game) with another DPRK IT worker via a Nigerian proxy, though it remains unclear whether the attack materialized. The admin sent 43 training modules covering reverse engineering topics, including Hex‑Rays and IDA Pro, focusing on disassembly, debugging, and malware analysis, indicating ongoing technical development within the network.

Comparison with Other DPRK Threat Groups

ZachXBT noted that this cluster of DPRK IT worker activity is less sophisticated compared to groups like AppleJeus and TraderTraitor, which operate far more efficiently and present the greatest risks to the industry. He estimated that DPRK IT workers generate multiple seven figures per month in revenue, and the data supports that. He also suggested that threat actors are leaving an opportunity by not targeting low‑tier DPRK groups, citing low risk of repercussions and minimal competition.

FAQ

What data did ZachXBT expose about North Korean IT workers?

ZachXBT published internal data from a compromised DPRK payment server, including 390 accounts, chat logs, transaction records, and fake identities. The data revealed a scheme processing approximately $1 million per month in cryptocurrency, with tracked wallets handling over $3.5 million since late 2025.

Which companies were identified as part of the network?

Three entities—Sobaeksu, Saenal, and Songkwang—appeared in the data and are currently sanctioned by the U.S. Office of Foreign Assets Control (OFAC), linking the network to previously identified DPRK operations.

What training materials were found in the data?

The admin sent 43 training modules covering reverse engineering, disassembly, decompilation, local and remote debugging, and malware analysis using tools like Hex‑Rays and IDA Pro, indicating ongoing technical development within the network.