$1 million a month. That’s the grim tally from North Korea’s latest crypto grift.
ZachXBT, the blockchain detective who’s made a career of chasing digital crooks, dug into a leaked payment server and found 390 accounts tied to DPRK IT workers. These aren’t your garden-variety freelancers—they’re state-backed operatives posing as coders, landing remote gigs at crypto firms, and funneling earnings home via crypto wallets. Since November, it’s netted over $3.5 million. Facts first: chat logs, wallet traces, forged IDs—all laid bare.
Inside the Remittance Machine
Picture a Slack channel, but for laundering wages. That’s the hub—a messaging-like app where workers log earnings, get payout directives from a boss account, and route funds through Tron and other chains. Then? Fiat swaps via Chinese banks or Payoneer. One address? Frozen by Tether last December—linked to known North Korean clusters.
VPNs hide their Seoul basements (or wherever). Fake LinkedIns flood job boards. They even eyed a crypto gaming project, per chats. Scale it across hundreds: steady cash, no explosions needed.
The dataset includes chat logs, wallet activity, and identity records, offering a detailed view into how the operation functions.
ZachXBT’s drop nails it. No hype—just data dumps proving coordination.
And here’s the kicker—it’s not Lazarus-level wizardry. No zero-days, no bridge heists. Just persistence. DPRK’s playbook shift? From billion-dollar bangs to million-dollar drips.
Does This Beat DPRK’s Hack-and-Grab Routine?
Yes. Wildly.
Lazarus grabs headlines with $625 million Ronin raids. But IT moonlighting? Low profile, repeatable. Reports peg these schemes at seven figures monthly—matches ZachXBT’s math. Remember that Solana project yanking liquidity after spotting a DPRK ex-employee? Or the $280 million social-engineering hit? Same vibe: infiltrate, extract, exit.
My take? It’s Cold War spycraft rebooted for Web3. Back then, Soviets planted engineers in U.S. firms (think Rosenberg parallels). Now? Pyongyang’s outsourcing army hits crypto’s trust gap. Bold call: by 2025, this forces “blockchain KYC” mandates—firms scanning commit histories for DPRK wallet ties. Hype from exchanges saying “we vet hard”? Please. This exposes the fluff.
North Korea’s stolen $7 billion+ since 2009, crypto-heavy. But workers scale without burnout.
They’re not replacing coders—they’re us.
Why Your Crypto Gig Board Is Bleeding?
Remote work exploded. Crypto loves it—hire global, pay in USDT, skip offices. Perfect for fakes.
Gaps everywhere. Identity checks? LinkedIn selfies and GitHub repos. No deep dives into wallet histories or IP patterns. Payments? Mixers and bridges obscure trails till ZachXBT-types connect dots.
One sprawling truth: crypto’s anonymity—your killer feature—is their golden ticket. Firms tout DeFi freedom, but it’s a vector for states like DPRK dodging sanctions. We’ve seen it in mixer crackdowns (Tornado Cash, anyone?). Now hiring’s the frontier.
Investor angle? Risk reprices. Protocols, exchanges—beef up onboarding. AI-flagged anomalies in commit patterns. Transaction graphs on applicants. Or watch margins erode to ghost workers.
Look, DPRK’s rational. Sanctions starve them; this feeds the machine. Crypto? Wake up or fund missiles.
A six-month dense scan: networks like this popped in Vietnam outsourcing hubs first—DPRK hijacked the model, weaponized it. Revenue steady at $1M/month. 390 accounts. $3.5M total. Chats reference gaming targets. Frozen Tron wallet. Chinese fiat ramps. It’s a workflow, not a wild west hack.
Compliance lags tech. RegTech tools exist—wallet clustering, behavioral flags—but adoption’s spotty. Why? Cost. Until a $100M breach hits via an “Indian dev.”
North Korea’s Crypto Infiltration: Real Threat or Overblown?
Threat. Hands down.
Not just theft—intel. Workers see codebases, roadmaps. That Solana scare? Tip of iceberg. DPRK diversifies: hacks (flashy), fraud (scalable), labor (persistent). Steady $12M+ yearly from IT alone.
Crypto market? $2 trillion cap. $7B stolen DPRK share? Material. But this network layer—hiring risks—shifts audits from code to people.
Prediction: DOJ indictments spike 2024. Firms like Upwork, crypto job boards add chain-analysis APIs. Or become conduits.
Skeptical spin from DPRK PR? None—they don’t bother. Crypto’s the one gaslighting with “DYOR” on hires.
🧬 Related Insights
- Read more: One Inc and ManageMy’s Power Play: Why Insurance Payments Just Got a Nervous System
- Read more: MillTech’s $60M AI Bet on Taming FX Chaos
Frequently Asked Questions
What is the North Korea IT worker network?
A DPRK scheme using 390 fake accounts for remote crypto jobs, generating $1M/month via crypto payments—exposed by ZachXBT.
How do North Korean IT workers get paid?
Through internal apps directing crypto transfers, then fiat via China/Payoneer; wallets link to known illicit clusters.
Is my crypto company at risk from DPRK hires?
Yes—weak ID checks and remote norms make it easy; scan wallets and commits now.
