North Korean IT specialists earned $3.5 million from crypto projects
An investigation by ZachXBT uncovered a large-scale scheme and links to sanctioned organizations.
09.04.2026 - 12:05
147
3 min
0
Key points:
- North Korean IT specialists earned over $3.5 million by posing as developers for crypto projects.
- An investigation by ZachXBT uncovered fake identities, international financial schemes, and connections to sanctioned organizations.
North Korean IT specialists earned more than $3.5 million in just a few months by posing as developers while simultaneously attempting to hack crypto projects. This is according to documents obtained by a hacker who breached one of their devices.
The leaked data was published on X by blockchain investigator ZachXBT. According to the findings, one member of the group, known as “Jerry,” worked as part of a 140-person team. On average, they earned around $1 million per month, accumulating $3.5 million in cryptocurrency since late November.
Earnings Scheme and Fund Transfers
Payments were coordinated through the website luckyguys.site using the shared password “123456.” According to ZachXBT, some users of the platform appear to be affiliated with Sobaeksu, Saenal, and Songkwang—entities sanctioned by the U.S. Office of Foreign Assets Control (OFAC).
FBI: americans lost $11.37 billion to crypto scams in 2025
Losses surpassed those from investment and IT-related fraud.
The cryptocurrency was converted into fiat currency and transferred to Chinese bank accounts via online payment platforms such as Payoneer. Wallet analysis also revealed connections to North Korean addresses that were blacklisted by Tether in December.
Fake Identities and a Global Threat
The operatives actively forged documents to secure employment with international companies. For instance, “Jerry” used the Astrill VPN to access Gmail and submitted applications for full-stack developer and software engineer positions on Indeed. In one draft email, he applied for a WordPress and SEO specialist role at a Texas-based T-shirt company, requesting $30 per hour for 15–20 hours per week.
Another participant, known as “Rascal,” submitted falsified utility bills using a fake Hong Kong address and shared a photo of an Irish passport. The leak also included an internal ranking system that tracked how much cryptocurrency each IT specialist generated for the organization.
North Korean hackers continue to pose a significant threat to the crypto industry. Since 2009, they have stolen more than $7 billion, much of it from crypto-related projects. Among the most notable incidents are the $1.4 billion Bybit hack and the $625 million Ronin Bridge breach. They have also been accused of orchestrating a $280 million attack on Drift Protocol.
Useful material?
Telegram 
Twitter Incidents
Developers warned of potential risks to bridges across the ecosystem and asked exchanges for assistance.
Jun 22, 2026
Incidents
The defendant helped move funds stolen through investment scams and earned at least $4 million for his role in the operation.
Jun 10, 2026
Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026
Cryptocurrency rates
-
Bitcoin
$62 451
BTC
-3.32%
-
Ethereum
$2 551.16
ETH
+3.56%
-
BNB Smart Chain
$579.4
BSC
+1.23%
-
Ripple
$1.11
XRP
-3.41%
-
TRON
$0.160134
TRX
-1.59%
-
Dogecoin
$0.079433
DOGE
-5.67%
-
Zcash
$424.27
ZEC
-6.95%
-
Stellar XLM
$0.193469
XLM
-9.45%
-
Cardano
$0.153377
ADA
-5.13%
-
Polkadot
$3.32
DOT
+5.27%