A group of North Korean IT workers reportedly made more than $3.5 million in a few months by faking identities to work as developers and attempting to hack crypto projects, according to documents obtained by a hacker who compromised one of their devices.
Blockchain sleuth ZachXBT shared the leaked data on X, showing that one worker, “Jerry,” and a team of about 140 members were bringing in roughly $1 million a month, totaling around $3.5 million in crypto since late November. Payments were coordinated on a site called “luckyguys.site” using the shared password “123456.” Some users on the platform appeared tied to entities Sobaeksu, Saenal and Songkwang, which are sanctioned by the U.S. Office of Foreign Assets Control.
Those crypto payments were reportedly converted to fiat and routed to Chinese bank accounts through online payment services like Payoneer. Tracing the wallets revealed connections to other known North Korean addresses previously blacklisted by Tether.
North Korean state-backed actors continue to threaten the crypto industry with increasingly sophisticated hacks and scams. Since 2009, such groups have been linked to thefts exceeding $7 billion, with major incidents including the $1.4 billion Bybit-related theft, the $625 million Ronin bridge exploit and the $280 million Drift Protocol hack on April 1.
The leaked data included a leaderboard showing how much crypto each IT worker had brought in for the organization since Dec. 8, with links to blockchain explorer pages for transactions. Screenshots indicate Jerry used an Astrill VPN to access Gmail and submitted applications for full-stack developer and software engineer roles on Indeed. An unsent email drafted for a WordPress content and SEO role sought $30 an hour for 15–20 hours per week.
Identification documents appear to have been falsified in some cases. One member, “Rascal,” shared a billing statement with a fake name and Hong Kong address and posted a photo of an Irish passport, though it’s unclear whether the passport was ever used.
ZachXBT cautioned that this group seemed less sophisticated than other North Korean operations like AppleJeus and TraderTraitor, which are considered more efficient and pose greater risks to the industry.
Cointelegraph says it is committed to independent, transparent journalism and encourages readers to verify information independently, per its Editorial Policy.