Shocking Revelation: North Korean Developers Rake in Millions with Fake Crypto Jobs

by

It seems the North Koreans are at it again, and no, they aren’t making Kimchi. A stunning leak of internal data has exposed how a group of North Korean IT workers generated a cool $3.5 million in cryptocurrency through a devious, well-coordinated scheme involving fake developer identities and clever payment systems. Blockchain investigator ZachXBT reports that this operation has been running like a well-oiled machine for months.

How did the truth come to light? A hacker, whose name we’ll never know (because, well, why would they reveal themselves?), breached one of the worker’s devices and spilled the beans. The hacker uncovered a treasure trove of internal records tied to almost 390 accounts, chat logs, browser data, and-wait for it-falsified identity documents. So, yes, it turns out “Jerry” and his friends aren’t really who they say they are. Shocking, right?

North Korean Crypto Operation

The operation, as expected, wasn’t a small-time gig. These ‘developers’ were pulling in about $1 million a month. How? Simple. They used forged credentials to get hired on various projects and funneled their earnings through an internal payment platform. ZachXBT points out that all the shady dealings happened on a platform called “luckyguys.site,” which sounds suspiciously like a scammy dating site, but no, it’s where all the crypto paydays happened. It even had a shockingly low level of security-because who needs that when you’re faking everything, right?

But wait, there’s more! The platform had user listings with job roles, locations, and group identifiers that made it clear who was really behind it all. These were not just any ordinary crypto workers-they were connected to North Korean IT groups like Sobaeksu, Saenal, and Songkwang. And for the cherry on top, some of these entities are sanctioned by the U.S. Treasury. It’s almost like they were asking for trouble. But, who’s surprised?

In case you’re wondering how the whole thing worked, it’s delightfully mundane. Funds received in crypto from clients or exchanges were quickly converted into good old fiat currency, funneled through Chinese bank accounts, and processed via Payoneer. Blockchain tracking showed these funds winding up in wallets previously linked to North Korean activity. One of those wallets got a “Tether treatment” (aka frozen) in late 2025. Talk about bad luck!

The juicy details don’t stop there. The hacker uncovered an internal conversation where “Jerry” (our suspiciously common North Korean alias) was discussing the use of VPNs and fake personas to snag jobs. There were also mentions of deepfake technology being used in hiring practices and strict rules about not sharing anything outside the network. It’s almost as if the entire operation was one big scam, run by… well, scammers.

And just to add a sprinkle of technical flair to the whole thing, the admins were distributing training materials on reverse engineering and debugging tools. Because why not, right? Just a casual crash course on how to break the system you’re already exploiting.

DPRK Developers in DeFi

This week, cybersecurity guru Taylor Monahan confirmed that North Korea’s IT workers have been deeply embedded in the crypto sector for years. They’ve even contributed to major decentralized finance (DeFi) protocols. You might have heard of them: SushiSwap, Yearn, and THORChain. Apparently, many of these workers’ resumes look suspiciously real-until you dig deeper, of course.

But it doesn’t stop with fake crypto jobs. These North Korean masterminds have also been involved in some of the largest crypto hacks of all time. Lazarus Group, a hacking group linked to the North, was behind the $625 million Ronin Bridge hack in 2022, the $235 million WazirX hack in 2024, and-of course-let’s not forget the colossal $1.4 billion Bybit heist in 2025. Talk about making a name for yourself!

Read More

2026-04-09 22:54