ZachXBT recently shared leaked data exposing a North Korean-linked IT worker network that generates roughly $1 million per month around $3.5 million since late November 2025 through fake identities while working remote developer jobs, often in crypto projects.
The on-chain investigator posted about documents obtained after an unnamed hacker compromised one of the group’s devices. The leaks reportedly include internal payment records showing a team of about 140 members, with one individual (“Jerry”) tied to the operation. Funds are paid in crypto and converted to fiat, often routed through services like Payoneer, using forged documents and stolen or fake identities to secure remote IT/development roles.
This fits a broader, well-documented pattern of North Korean (DPRK) actors—sometimes linked to state-sponsored groups like Lazarus—sending IT workers overseas or having them operate remotely under false pretenses. They earn legitimate salaries from tech and crypto companies while potentially gathering intelligence, inserting backdoors, or committing direct thefts.
Previous ZachXBT investigations have highlighted similar clusters infiltrating dozens of projects, with one earlier example noting $300K–$500K monthly flows to a single entity via fake identities. DPRK IT workers have reportedly embedded in DeFi and crypto firms for years, sometimes for extended periods; the recent $270–285M Drift Protocol exploit involved a 6+ month social engineering operation with in-person meetings and a large deposit as a Trojan horse.
North Korea-linked actors have been attributed with a significant portion of major crypto heists in recent years, including high-profile incidents totaling billions. However, not every hack is automatically Lazarus—ZachXBT has pushed back against over-attribution in some cases. Crypto enables salary payments and fund movement that bypasses traditional sanctions, with flows often going through mixers, exchanges, or intermediaries before conversion.
ZachXBT’s thread and the underlying leaked data provides an insider view into their internal payment server, which is rare and valuable for understanding operations. He noted the research performed well initially but was somewhat overshadowed by other posts. This highlights ongoing risks in remote hiring for crypto and DeFi teams: weak KYC and verification, especially for contractors.
Projects should use robust identity checks, code audits, and monitoring for suspicious commits or access patterns. These operations continue to evolve, blending legitimate remote work with espionage and theft to fund the regime while evading sanctions.
The exposure by ZachXBT of this North Korean IT worker network; processing ~$1M monthly and ~$3.5M since late 2025 has several layered impacts across security, regulatory, economic, and industry levels. While the leak itself is recent, it builds on years of documented DPRK infiltration tactics.
The leak provides rare internal visibility: payment records, chat logs via IPMsg, fake identity documents, remittance hubs and conversion flows through crypto exchanges, Payoneer, and Chinese banks. This gives investigators, companies, and law enforcement concrete data to identify patterns, freeze addresses and trace funds. Teams that discover they’ve hired linked individuals may terminate contracts quickly.
It may force the network to adapt tactics, such as better VPNs or new identities, but the breach of their internal payment server exposes operational weaknesses like poor security hygiene. ZachXBT noted the research gained less traction than expected compared to other posts, but it still circulates in crypto security circles. DPRK-linked workers have reportedly embedded in 40+ DeFi protocols since DeFi summer, sometimes contributing actual code to well-known projects.
Not all were purely fraudulent—some delivered work—but this creates persistent risks of backdoors, malicious commits, data exfiltration, or future exploits. ZachXBT has previously tied similar networks to 25+ incidents involving code insertion leading to treasury drains or team extortion. The recent high-profile $270–285M Drift Protocol exploit involved 6+ months of social engineering, in-person meetings at conferences, and a Trojan horse deposit—showing how trust-building escalates to massive losses.
Estimates suggest hundreds of such operatives may hold crypto-related jobs, generating hundreds of millions annually for the regime. This funds WMD and missile programs, violating sanctions. The U.S. Treasury has sanctioned individuals and entities facilitating these schemes, targeting fake identity networks that convert salaries to fiat/crypto for the DPRK. The exposure adds fresh evidence for further designations and enforcement. Companies unknowingly paying sanctioned actors risk penalties.
Increased scrutiny on remote hiring, especially in crypto: Projects face pressure to implement stronger KYC, background checks, video interviews, code contribution audits, and sanctions screening. Fintech platforms and exchanges involved in conversions may tighten compliance. Funds support North Korea’s regime, linking cybercrime directly to national security threats. This amplifies calls for better public-private cooperation in tracking these flows.
Peer code reviews and sandboxing for contractors. Monitoring for unusual access or commit patterns. Avoiding over-reliance on remote freelancers without robust vetting. Some projects are highlighted for stronger skepticism toward contributors, serving as models. Others, like Solana-related teams, have faced public calls to address past hires.
Legitimate developers from certain regions may face extra hurdles, creating hiring friction in an already competitive space. The $1M/month figure here is one slice of a larger ecosystem. Repeated stories of infiltration erode trust in decentralized hiring and remote work models popular in Web3. It underscores why trust-minimized systems still require human vigilance. No single massive drain tied directly to this leak yet, but cumulative losses from DPRK-linked activity contribute to overall sector volatility and insurance costs.
ZachXBT’s work acts as a deterrent and intelligence booster, pushing the industry toward harder defenses while complicating DPRK operations. However, these networks are resilient and evolve—expect continued adaptations like deeper social engineering. Crypto teams should treat hiring as a high-risk vector alongside smart contract audits.
