ZachXBT is blowing the lid off a clandestine North Korean network that’s been quietly infiltrating the crypto world.
As per crypto news today, blockchain investigator ZachXBT has revealed what he describes as a sophisticated network of North Korean developers making up to $500,000 a month by working on established crypto projects.
In an August 15 post on X, ZachXBT informed his 618,000 followers that he believes a “single entity in Asia,” likely operating out of North Korea, is employing at least 21 developers across more than 25 crypto projects, raking in between $300,000 and $500,000 monthly.
ZachXBT shared that a team recently approached him for help after discovering that $1.3 million had been stolen from their treasury through malicious code. Unbeknownst to them, they had hired several DPRK IT workers who were using fake identities as developers.
He alleges that the $1.3 million theft was laundered through a series of transactions, ultimately ending with 16.5 Ether being sent to two different exchanges. Further investigation led ZachXBT to believe these developers are part of a much larger network.
By tracking a group of payment addresses, an investigator discovered a network of developers who received a combined $375,000 in the past month. Moreover, the latest news in cryptocurrency shows a total of $5.5 million flowing into their accounts between July 2023 and early 2024. These funds were ultimately transferred to a single exchange deposit address.
The investigator linked these payments to North Korean IT workers and Sim Hyon Sop, an individual sanctioned by the U.S. government for allegedly supporting North Korea’s weapons programs through financial transactions. Additional payment addresses were connected to another sanctioned individual, Sang Man Kim, known for involvement in North Korea-linked cybercrime.
US law enforcement believes Kim is involved in paying salaries to the family members of Chinyong’s overseas DPRK worker delegations and receiving $2 million in crypto for selling IT equipment to DPRK-affiliated teams in China and Russia.
ZachXBT’s investigation also uncovered Russian Telecom IP overlaps among developers who claimed to be based in the United States and Malaysia. At least one developer “accidentally leaked their other identities on a notepad.” Some of these developers were even placed by recruitment companies, and in some cases, they referred each other for work.
A researcher uncovered a network of North Korean developers who received $5.5 million in cryptocurrency payments. These funds were traced back to a single exchange address.
Despite innocent companies hiring some of these developers, the scheme is linked to sanctioned individuals and supports North Korea’s weapons programs. The country has a history of cyberattacks to fund its operations, exploiting vulnerabilities and deceiving victims to steal funds.
In 2022, the US Departments of Justice, State, and Treasury issued a joint advisory warning about the surge of North Korean workers infiltrating various freelance tech jobs, particularly in the crypto sector. The most notorious group linked to these activities, the Lazarus Group, reportedly stole over $3 billion in crypto assets in the six years leading up to 2023.
