So, it turns out that North Korea has been moonlighting as a crypto heist mastermind, and our intrepid detective, ZachXBT, has stumbled upon their digital laundry list. Picture this: an internal payment server, 390+ accounts, chat logs, and transaction histories-basically, the North Korean version of a garage sale, but with more zeros and fewer dusty lamps.
The DPRK Crypto-Infiltration Saga, Part III (Or, How to Lose $285 Million in One Easy Step)
The saga continues, much like a never-ending soap opera but with fewer love triangles and more malware. Following the totally not suspicious $285 million Drift Protocol heist on April 1st (no, it wasn’t a joke), UNC4736-North Korea’s favorite state-sponsored hacking group-has been outed as the culprit. But wait, there’s more! Taylor Monahan, a security researcher, claims North Korean IT workers have been freelancing in over 40 DeFi projects for the past seven years. Because, you know, who needs a day job when you can just hack your way to riches?
Meanwhile, on Sunday and Monday, crypto industry folks shared videos of North Korean IT workers failing the “Kim Jong-Un Test.” Spoiler alert: it’s not a pop quiz on his favorite hairstyles.
Enter ZachXBT, who decided it was his turn to spill the beans. Thanks to an anonymous source (probably not a Nigerian prince), he got his hands on some juicy data. How? Well, a DPRK IT worker’s device got infected with an infostealer-because even hackers need a reminder to update their antivirus.
2/ A DPRK IT worker had their device compromised via infostealer. Extracted data included IPMsg chat logs, fake identities, and browser history. Digging through the logs revealed this site being discussed: luckyguys[.]site. An internal payment remittance platform, because who doesn’t love a good Discord knockoff?
– ZachXBT (@zachxbt) April 8, 2026
Turns out, DPRK agents-posing as freelancers abroad-are getting paid in crypto and funneling it back to the regime. Because nothing says “socialism” like a decentralized currency, right?
A Breakdown Of The Findings (Or, How to Secure Your Password: Don’t)
The website in question? luckyguys.site. Yes, really. It’s like a Discord for DPRK operatives to report their crypto payments. And the default password? “123456.” At the time of the data breach, ten accounts were still using it. Facepalm.
The account roster included roles, Korean names, locations, and internal group codes-basically, a North Korean LinkedIn. ZachXBT noted that three companies-Sobaeksu, Saenal, and Songkwang-are already on the OFAC sanctions list. Because, of course they are.
One WebMsg user, “Rascal,” had DMs with the server admin, PC-1234, detailing payment transfers and fake identities from December 2025 to April 2026. Every payment was routed through PC-1234, who probably deserves a raise for all the paperwork.
4/ Here’s Rascal and their DMs with PC-1234, because nothing says “professional” like a username straight out of a 90s hacker movie.
– ZachXBT (@zachxbt) April 8, 2026
Since November 2025, over $3.5 million has flowed into the payment wallets. The pattern? Crypto transfers or fiat conversions via Chinese bank accounts using platforms like Payoneer. Because laundering money is so much easier when you’ve got options.
5/ $3.5M+ since November 2025. Because who needs a 9-to-5 when you can just hack your way to millions?
– ZachXBT (@zachxbt) April 8, 2026
A Reconstruction Of The Network’s Hierarchy (Or, The DPRK Org Chart: Now in Interactive Form!)
ZachXBT reconstructed the entire organizational hierarchy, because why not? Here’s the org chart, in all its glory:
Following the wallets on-chain, he found connections to other DPRK IT worker clusters. One Tron-based wallet was frozen by Tether in December 2025. Because even crypto criminals need a timeout.
Other highlights? The compromised device belonged to someone named “Jerry,” who was using Astrill VPN and multiple fake identities to apply for jobs. Meanwhile, on an internal Slack, “Nami” shared a blog post about a deepfake job applicant linked to DPRK workers. One colleague asked if it was about them, while another reminded everyone not to post external links. Oops.
8/ Jerry, Nami, and the gang-because every good heist needs a cast of characters.
– ZachXBT (@zachxbt) April 8, 2026
Jerry also discussed plans to steal from a project with another DPRK worker, using a Nigerian proxy to target Arcano, a GalaChain game. Whether the attack happened? Still unclear. But points for creativity.
9/ Jerry and the Nigerian proxy-because every good scam needs an international twist.
– ZachXBT (@zachxbt) April 8, 2026
The admin also shared 43 Hex-Rays/IDA Pro training materials between November 2025 and February 2026. Topics included disassembly, decompilation, and cybersecurity techniques. One link was titled: “using-ida-debugger-to-unpack-an-hostile-pe-executable.” Because nothing says “professional development” like learning how to unpack hostile executables.
Final Thoughts (Or, The Moral of the Story: Don’t Use ‘123456’ as Your Password)
ZachXBT concluded that this DPRK cluster is relatively unsophisticated compared to groups like AppleJeus and TraderTraitor. But hey, they’re still raking in several million dollars a month, so who’s really winning here?
Update: The internal DPRK payment site has been taken down after ZachXBT’s post. But don’t worry, all the data was archived in advance. Because nothing says “job well done” like forcing a takedown.
Update: The site’s gone, but the memes live on.
– ZachXBT (@zachxbt) April 9, 2026
Crypto is now deeply embedded in geopolitical shadow economies. On-chain transparency cuts both ways-for users and adversaries alike. So, expect higher compliance costs for CEXs and more friction for stablecoin flows in sanctioned regions. Because nothing says “fun” like increased regulatory scrutiny.
Cover image from Perplexity. BTCUSDT chart from Tradingview. Because every good story needs a chart.
Read More
- Brent Oil Forecast
- Gold Rate Forecast
- Silver Rate Forecast
- USD ISK PREDICTION
- EUR ILS PREDICTION
- USD CNY PREDICTION
- 5 Crypto Firms That Secured a Whopping $10 Billion in Q2: A Tale of Bitcoin, Blockchain, and Bold Ventures
- £140M Gamble: Premier League’s Last Wager on Shirts
- USD MXN PREDICTION
- METH PREDICTION. METH cryptocurrency
2026-04-09 14:13