Password "123456" Exposes North Korean IT Worker Network Infiltrating Crypto Industry

On-chain investigator ZachXBT has published a sweeping investigation into a network of North Korean IT workers who infiltrate crypto projects under fabricated identities to eventually hack them. The breakthrough came from a trivially simple password — "123456" — left unchanged on an internal coordination platform.

«Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions. I spent long hours going through all of it, none of which has ever been publicly released. It revealed an intricate…» — ZachXBT (@zachxbt), original post

Why This Matters

North Korean hacking groups have long been recognized as a top-tier threat to the crypto industry. However, this investigation provides an unprecedented look inside an active operation — from organizational charts and payment infrastructure to training curricula and fiat off-ramping methods. The more than $3.5 million traced to associated wallets in just a few months underscores the tangible risk faced by any crypto project hiring remote developers.

Inside the Operation

An anonymous source provided ZachXBT with data extracted from an internal DPRK payment server. The leak contained 390 user accounts, messenger chat logs, and cryptocurrency transaction records. According to the investigator, the scheme involved fake identities, forged documents, and crypto-to-fiat conversions totaling roughly $1 million per month.

The investigation began with a compromised computer belonging to a DPRK IT worker operating under the alias Jerry. Extracted data included IPMsg messenger logs, fraudulent job application profiles, and browser history. Analysis revealed that a site called luckyguys[.]site — an internal payment platform with a Discord-like interface — served as the hub where operatives reported payments to their handlers.

«The site's default password was 123456, which remained unchanged for ten users. The user list included roles, Korean names, cities, and coded group names consistent with DPRK IT worker operations. Three companies which appeared are currently OFAC sanctioned: Sobaeksu,…» — ZachXBT (@zachxbt), original post

Three entities found in the data — Sobaeksu, Saenal, and Songkwang — are under OFAC sanctions. The luckyguys[.]site went offline shortly after ZachXBT's publication, though the investigator had already archived all materials.

«Update: The internal DPRK payment site has since been taken down after my post. However all data was archived in advance.» — ZachXBT (@zachxbt), original post

Money Flows and Transaction Details

Between December 2025 and April 2026, a WebMsg user operating under the alias Rascal coordinated payment transfers and the use of fraudulent identities with server administrator PC-1234. Every transaction was processed and confirmed through the PC-1234 admin account.

«Here is one of the WebMsg users 'Rascal' and their DMs with PC-1234 detailing payment transfers and the use of fraudulent identities from December 2025 through April 2026. All payments are processed and confirmed through the server admin account: PC-1234. Addresses in Hong…» — ZachXBT (@zachxbt), original post

Payments for goods and invoices were routed through Hong Kong-based addresses (their authenticity is still being verified). Since late November 2025, more than $3.5 million flowed into associated wallets. The pattern was consistent: operatives either withdrew crypto from exchanges or converted it to fiat through Chinese bank accounts using services like Payoneer.

ZachXBT reconstructed the full organizational structure of the network, including per-user and per-group payment breakdowns from December 2025 through February 2026. On-chain analysis revealed connections to several previously identified DPRK IT worker clusters. In December 2025, Tether froze one of the linked wallets on the TRON network.

VPNs, Deepfakes, and Theft Attempts

Jerry's compromised device showed evidence of Astrill VPN usage and numerous fake resumes used for job applications.

«Jerry's compromised device shows usage of Astrill VPN and various fake personas applying for jobs. An internal Slack showed 'Nami' sharing a blog post about a DPRK IT worker deepfake job applicant. A second user asked if it was them, while a third noted they aren't allowed to…» — ZachXBT (@zachxbt), original post

In a Slack channel, a user named Nami shared an article about a DPRK IT worker deepfake job applicant. One colleague asked if the article was about them, while another reminded the group that sharing external links was prohibited. Jerry was also found discussing a potential theft from the Arcano project (a game on GalaChain) with another DPRK IT worker, using a Nigerian proxy. Whether this attack was carried out remains unknown.

Training Programs and Threat Level

From November 2025 through February 2026, the server administrator distributed 43 Hex-Rays/IDA Pro training modules to the group, covering disassembly, decompilation, local and remote debugging, and other cybersecurity techniques.

ZachXBT noted that this particular group is less sophisticated than AppleJeus and TraderTraitor — the latter two operate more efficiently and pose the greatest threat to the industry. He had previously estimated that North Korean developers earn several million dollars monthly, and the newly leaked data corroborated those figures.

How to Spot a DPRK Agent

In a related development, a video went viral on X showing a job interview where a suspected DPRK IT worker was asked to insult Kim Jong Un. The candidate, who had been posing as a Japanese national named Taro Aikuchi, froze immediately — the feed went still right after the request. Criticizing the leader is a criminal offense in North Korea. The day after the video was posted, the individual deleted their LinkedIn and personal website profiles and changed their Telegram username.

Earlier in April, MetaMask security researcher Taylor Monahan stated that North Korean IT workers have been infiltrating DeFi protocols for at least seven years. Among the affected projects she identified were SushiSwap, Thorchain, Fantom, Shib, Yearn, Floki, and many others.