Leaked documents reveal a North Korean cyber unit generated over $1 million per month by infiltrating the global remote work market. A counterhacker compromised their systems, exposing a sprawling operation that combined IT job fraud with attempts to hack cryptocurrency projects. The data, shared by blockchain investigator ZachXBT on April 9, 2026, shows the group’s startling lack of basic security, including a shared password of “123456.” This breach offers a rare look inside the financial engine of state-sponsored cybercrime.
The $1 Million-a-Month North Korean IT Operation
According to the leaked data, an IT worker using the alias “Jerry” led a team of approximately 140 members. Their activities, tracked since late November 2025, netted about $3.5 million in cryptocurrency. ZachXBT reported that the group coordinated payments through a website called “luckyguys.site.” The use of an extremely weak shared password allowed the counterhacker to access their systems. This suggests operational security was not a priority for this particular cell. The funds were converted to traditional currency and funneled to Chinese bank accounts via platforms like Payoneer.
Also read: Visa's AI Shopping Platform Unleashes Autonomous Commerce Revolution
Analysis of the wallet addresses showed links to other North Korean wallets that stablecoin issuer Tether blacklisted in December 2025. This connection indicates the operation was part of a broader, state-coordinated financial network. The US Treasury has sanctioned entities like Sobaeksu, Saenal, and Songkwang, which appear linked to users on the payment platform.
Fake Identities and Remote Job Applications
The group’s method relied on fabricated identities to secure freelance and full-time IT positions. Screenshots show Jerry used an Astrill VPN to access Gmail and submit applications on job site Indeed. He sought roles like full-stack developer and software engineer. In one unsent email for a WordPress specialist job at a Texas company, he requested $30 per hour for 15-20 weekly hours.
Also read: PEPE ETF Filing: Canary Capital's Bold Bet on a Battered Memecoin
Another worker, “Rascal,” shared images of a falsified billing statement with a fake Hong Kong name and address. Rascal also possessed a picture of an Irish passport. It is unclear if this document was ever used operationally. These tactics allowed the workers to appear as legitimate contractors from various countries, bypassing geographic restrictions and sanctions.
Inside the North Korean Cyber Workforce
The leaked data included a leaderboard. It ranked IT workers by the amount of cryptocurrency they generated for the organization since December 8, 2025. Links to blockchain explorers provided transaction details. This internal tracking points to a performance-based structure common in sales or hacking teams. Industry watchers note that such public scorekeeping is unusual for advanced threat groups, hinting at this unit’s specific role within the North Korean cyber apparatus.
ZachXBT stated these workers were less sophisticated than other North Korean groups like AppleJeus and TraderTraitor. Those groups “operate far more efficiently and present the greatest risks to the industry,” he noted. The implication is that this exposed unit may have focused more on revenue generation through fraud than on complex, high-value hacking.
Billions Stolen: The Scale of North Korean Crypto Crime
This incident is a single thread in a much larger tapestry of state-sponsored theft. According to United Nations reports, North Korean cyber actors have stolen over $7 billion since 2009. A significant portion comes from cryptocurrency projects. Major attacks attributed to North Korea include:
- The Bybit Hack (2022): $1.4 billion stolen from the crypto exchange.
- The Ronin Bridge Hack (2022): $625 million taken from the Axie Infinity sidechain.
- The Drift Protocol Hack (April 2026): A $280 million exploit blamed on North Korean hackers.
These funds are widely assessed to support the regime’s weapons programs and circumvent international sanctions. The IT job scheme provides a steady, lower-risk income stream alongside these high-stakes heists.
What This Means for Crypto and Remote Work Security
The exposure has immediate implications. For the cryptocurrency industry, it underscores the persistent threat from nation-state actors. It also highlights the need for enhanced due diligence on project contributors and employees. The use of platforms like Payoneer to cash out shows how traditional fintech can be exploited for sanctions evasion.
For the global remote work economy, this is a wake-up call. Companies hiring freelance developers face new challenges in verifying identities. Basic background checks can be insufficient against well-resourced state actors. This could signal a shift toward more rigorous, multi-factor identity verification for remote tech roles. The incident also puts pressure on payment processors to improve sanctions screening.
Conclusion
The counterhacker’s exposure of North Korean IT workers reveals a dual-threat operation: defrauding the global job market while targeting crypto projects. The group’s $1 million monthly revenue shows the profitability of this scheme. Their basic operational mistakes, like using “123456” as a password, led to their downfall. But the scale of North Korean cybercrime remains vast. This case reinforces that cybersecurity is not just about protecting code, but also about verifying the people behind the keyboards. As remote work grows, so too will attempts to exploit it for illicit finance.
FAQs
Q1: How were the North Korean IT workers caught?
A counterhacker compromised one of their devices and accessed internal data, which was then shared with blockchain investigator ZachXBT. The group used a dangerously simple shared password on their payment coordination site.
Q2: What did the North Korean workers do with the money they earned?
According to the leaked data, cryptocurrency payments were converted to fiat currency and sent to Chinese bank accounts using online payment platforms. These funds likely support the North Korean regime and its sanctioned programs.
Q3: Are all North Korean IT workers hackers?
Not necessarily. The exposed group engaged in both IT job fraud and attempted crypto hacks. However, ZachXBT noted this unit was less sophisticated than other known North Korean hacking groups, suggesting a focus on revenue generation.
Q4: How can companies protect themselves from such fraud?
Experts recommend enhanced identity verification for remote hires, including multi-factor checks and scrutiny of digital footprints. Companies should also be wary of contractors using VPNs to mask locations and should conduct thorough technical interviews.
Q5: What is the US government doing about this?
The US Office of Foreign Assets Control (OFAC) has sanctioned several North Korean entities linked to cyber operations, including some named in this leak. The Treasury Department continues to blacklist cryptocurrency addresses associated with these activities.
This article was produced with AI assistance and reviewed by our editorial team for accuracy and quality.
Be the first to comment