A blockchain investigator has claimed that a DPRK-linked unit earned nearly $1 million monthly by posing as crypto IT workers. It raises serious concerns about cybersecurity risks and fraud in the global cryptocurrency ecosystem.
A North Korean hacker unit made more than $3.5 million (roughly Rs. 3.25 crore) working as impostors through various IT jobs. This group was faking their identities and were hacking multiple crypto projects and earning around $1 million a month (roughly Rs. 93 lakh), as per documents obtained by blockchain sleuth ZachXBT via an unnamed source.
The North Korean unit also forged legal documents and crypto-to-fiat conversions. This unnamed source further revealed that a DPRK IT worker called ‘Jerry' had their device compromised via infostealer, wherein the source further extracted data included IPMsg chat logs, fake identities, and browser history.
The DPRK hackers were coordinating through a website called “luckyguys.site”, using a shared password which was “123456”. The post shared by ZachXBT also revealed that some of the users on the fraudulent platform appeared to work for Sobaeksu, Saenal and Songkwang, which are sanctioned by the US Office of Foreign Assets Control.
The aforementioned crypto payments were converted into fiat and then sent to Chinese bank accounts through online payment platforms such as Payoneer. It was also discovered that the hackers were using a Discord-style messaging system to report their payments back to their handlers.
The North Korean IT workers also maintained a leaderboard on this platform, which exposed how much business each crypto IT worker had brought in the organisation since December 8, 2025, with links to blockchain explorer pages showing transaction details.
ZachXBT also exposed that the IT worker named Jerry also applied for various job roles, which include one in Texas and an unsent email, applying for a WordPress content and search engine optimization role at a T-shirt company in Texas.
The North Korean IT workers group were also in the spotlight earlier this year, when data by Security researcher Taylor Manonan had claimed that North Korean IT workers have been infiltrating DeFi platforms for the past 7 years and stolen over $7 billion (roughly Rs. 65,000 crore) in crypto since 2017. The infamous Drift Protocol hack of $285 million (roughly Rs. 2,600 crore) was also pinned on one of the DPRK units.
"Always validate that accounts listed by candidates are controlled by the email they provide," Security Alliance said. "Simple checks like asking them to connect with you on LinkedIn will verify their ownership and control of the account."
The disclosure comes as the Norwegian Police Security Service (PST) issued an advisory, stating it's aware of "several cases" over the past year where Norwegian businesses have been impacted by IT worker schemes.