Blockchain researcher ZachXBT has uncovered a sophisticated North Korean-linked network of IT professionals who are allegedly bringing in about $1 million per month. According to ZachXBT’s investigation, detailed in a series of posts on the X platform, the group operates through fraudulent job applications and crypto payments. The data analyzed, sourced from an internal payments server connected to 390 accounts, offers new insights into the organization’s financial movements.
Network structure and identified operations
ZachXBT’s analysis reveals that the network disguises its members under multiple identities and employs forged documents to conduct its activities systematically. Since last November, the operation is estimated to have generated over $3.5 million in total. Its payment system is modeled after instant messaging platforms, allowing workers to report their earnings and receive payment instructions from a central account.
The group typically transfers profits via cryptocurrency to various platforms, which are then converted into fiat money through Chinese bank accounts and services such as Payoneer. Some payment addresses traced in the investigation have previously been linked to North Korean IT operatives. One Tron wallet identified within the network was frozen by Tether in December last year, highlighting connections to previously identified illicit activity.
Additional findings indicate that operatives regularly use VPNs to mask their locations and present fake identity details on job applications. Internal communications among team members are maintained via encrypted messaging tools, pointing to a coordinated and security-conscious operation.
Emerging incidents and global developments
An analysis of one device uncovered discussions about targeting a crypto gaming project, although it remains unclear whether any attack was ultimately carried out. Observers note that the group’s tactics appear less sophisticated than those seen with more notorious organizations like Lazarus, relying instead on straightforward schemes and persistent social engineering.
ZachXBT’s report indicates that these earnings are consistent with previous estimates about similar North Korean operations, many of which have long been suspected of generating seven-figure monthly sums to fund the country’s sanctioned programs.
Recent headlines have highlighted how Stabble, a Solana-based project, discovered a former North Korean employee in its ranks and responded by urging liquidity providers to withdraw their funds. Drift, another protocol, has attributed a $280 million loss to a months-long social engineering campaign allegedly orchestrated by actors with North Korean ties.
U.S. officials have also announced sanctions against individuals believed to have facilitated nearly $800 million in cryptocurrency fraud. These measures underscore the growing impact and organizational scale of cyber operations attributed to North Korea.
Highlighting the threat, U.S. authorities emphasized increased international efforts to disrupt state-backed cybercriminal networks targeting digital assets through sophisticated schemes.
International responses have ramped up amid concerns that money funneled through such cyber-enabled networks may bolster state activities subject to global sanctions. Security experts recommend increasing vigilance, particularly across decentralized finance sectors, to prevent further exploitation by state-affiliated actors.
Blockchain analysts point out that while sanctions and freezing measures can hamper these networks, the evolving tactics employed by these groups will require continuous innovation and international cooperation.
In the broader view, such findings highlight the ongoing challenge faced by the global community in curbing illicit financial flows, especially given the online anonymity and borderless nature of cryptocurrency transactions.
