Documents obtained from a compromised device allegedly show a group of North Korean IT workers earning roughly $3.5 million in crypto over a few months by using fake identities, applying for developer roles and attempting hacks against crypto projects.
Blockchain researcher ZachXBT posted the leaked material on X, identifying a member known as ‘Jerry’ and a team of about 140 people who reportedly generated roughly $1 million per month since late November. Payments on a site called luckyguys.site were coordinated with the shared password 123456. Some platform accounts appeared linked to entities Sobaeksu, Saenal and Songkwang, each sanctioned by the U.S. Office of Foreign Assets Control (OFAC).
The documents indicate crypto receipts were converted to fiat and moved into Chinese bank accounts through online payment services such as Payoneer. Traces of the wallets in the leak reportedly connect to other addresses previously blacklisted by stablecoin issuer Tether.
The materials include a leaderboard tracking how much crypto each team member brought in since Dec. 8, with links to blockchain explorer pages. Screenshots from the files show ‘Jerry’ using an Astrill VPN to access Gmail and submitting applications on Indeed for full-stack developer and software engineer positions. Another draft email — never sent — sought a WordPress content and SEO role at $30 an hour for 15–20 hours per week.
Some identity documents in the leak appear falsified. One member using the handle ‘Rascal’ shared a billing statement showing a fake name and a Hong Kong address and posted a photo of an Irish passport; it is unclear whether the passport was ever used.
ZachXBT cautioned that, based on the leak, this group appears less technically sophisticated than other North Korean operations such as AppleJeus and TraderTraitor, which industry observers consider more efficient and potentially more dangerous.
State-backed North Korean cyber groups have been a persistent threat to the crypto industry for years. Since 2009, various campaigns attributed to North Korean actors have been connected to thefts exceeding $7 billion, including large incidents like the Bybit-related loss reportedly totaling $1.4 billion, the $625 million Ronin bridge exploit and the $280 million Drift Protocol hack on April 1.
Cointelegraph emphasizes independent, transparent reporting and encourages readers to verify information independently, per its editorial policy.