North Korean Cyber Unit Raked in $1M Monthly Through Fake Dev Gigs and Crypto Theft
A counterhacker's breach has exposed a significant North Korean operation generating roughly $1 million per month through a combination of fraudulent IT work and cryptocurrency theft. The leaked data, shared by blockchain analyst ZachXBT on X, reveals that a 140-person unit—led by a worker identifi
A counterhacker's breach has exposed a significant North Korean operation generating roughly $1 million per month through a combination of fraudulent IT work and cryptocurrency theft. The leaked data, shared by blockchain analyst ZachXBT on X, reveals that a 140-person unit—led by a worker identified as "Jerry"—accumulated $3.5 million in crypto payments since late November.
The Operation's Infrastructure
Here's where this gets sloppy: the North Korean workers coordinated all their crypto payments through a site called "luckyguys.site" protected by a shared password so weak it screams amateur hour—"123456." ZachXBT's analysis connected several platform users to sanctioned entities including Sobaeksu, Saenal, and Songkwang, all blacklisted by the US Office of Foreign Assets Control.
The payment flow follows a familiar laundering pattern: crypto gets converted to fiat currency, then routed through Chinese bank accounts via Payoneer and similar online payment platforms. Wallet tracing revealed connections to other known North Korean addresses that Tether subsequently blacklisted in December. This network integration suggests coordination across multiple state-backed operations.
The Fake Identity Playbook
The crew wasn't breaking new ground in operational security. Screenshots show Jerry using an Astrill VPN to access Gmail and submit applications for full-stack developer and software engineer positions on Indeed. One unsent email reveals Jerry applying for a WordPress SEO specialist role at a Texas-based t-shirt company, requesting $30 per hour for 15-20 hours weekly—hardly a sophisticated cover story.
Identity fraud was equally basic. A worker named "Rascal" shared fabricated Hong Kong billing statements under a fake name and address, plus photos of what appeared to be an Irish passport. Whether the passport actually saw deployment remains unclear.
Context: Broader Threat Landscape
This exposed unit pales compared to North Korea's actual heavyweight cyber squads. North Korean state-backed operations have stolen over $7 billion since 2009, with crypto projects bearing the brunt of the assault. We're talking about the $1.4 billion Bybit exchange hack, the $625 million Ronin bridge compromise, and the $280 million Drift Protocol theft on April 1.
ZachXBT noted these exposed workers were "far less sophisticated" than established North Korean groups like AppleJeus and TraderTraitor—units that "operate far more efficiently and present the greatest risks to the industry." That's important context: what got burned here was probably a secondary revenue stream, not their A-team.
Alpha Take
This breach exposes the mechanics of how North Korean state actors monetize cyber capabilities—blending legitimate gig work with targeted hacking for maximum deniability and operational efficiency. While the exposed unit was relatively crude, the $3.5 million quarterly haul demonstrates why these operations remain persistent threats to crypto projects. Investors and protocols should assume more sophisticated variants remain undetected; this data point represents a detection, not a complete picture of North Korean crypto-targeting activity.
Originally reported by
CoinTelegraph
Not financial advice. Crypto investing involves significant risk. Past performance does not guarantee future results. Always do your own research.