{"id":80026,"date":"2026-04-09T11:16:31","date_gmt":"2026-04-09T11:16:31","guid":{"rendered":"https:\/\/dogewisperer.com\/?p=80026"},"modified":"2026-04-09T11:16:31","modified_gmt":"2026-04-09T11:16:31","slug":"crypto-investigator-exposes-north-koreas-secret-1-million-a-month-scheme","status":"publish","type":"post","link":"https:\/\/dogewisperer.com\/?p=80026","title":{"rendered":"Crypto Investigator Exposes North Korea\u2019s Secret $1 Million A Month Scheme"},"content":{"rendered":"
\n

Crypto detective ZachXBT uncovered an internal North Korean payment server tied to 390+ accounts, chat logs, and transaction histories.<\/p>\n

The DPRK Crypto-Infiltration Saga, Part III (From This Week Only)<\/h2>\n

The North Korean secret crypto-agents saga continues. The hidden network of North Korea\u2013aligned crypto hackers have been slowly exposed on the social network X these past days, following the attribution of the\u00a0April 1st $285 million attack on Drift Protocol\u00a0to UNC4736<\/a>, a North Korea\u2013aligned, state\u2011sponsored hacking group.<\/p>\n

On Sunday<\/a>, security researcher Taylor Monahan\u00a0claimed that North Korean IT workers have quietly worked inside more than 40 DeFi projects over roughly seven years. Also on Sunday and Monday<\/a>, multiple crypto industry actors shared videos and stories of North Korean IT workers failing the \u201cKim Jong-Un Test\u201d.<\/p>\n

Now, it was ZachXBT turn to publish his findings, which he did yesterday on a thread on the social network X.<\/a> The exfiltrated data, that hadn\u2019t been publicly released before, was shared with him by an anonymous source.<\/p>\n

The extraction of the data was possible because one of this IT workers workers from the Democratic People\u2019s Republic of Korea (DPRK) had his device infected with an infostealer (malware designed specifically to steal sensitive information). The malware exposed IPMsg chat logs, fabricated identities, and detailed browser activity.<\/p>\n

\n

2\/ A DPRK IT worker had their device compromised via infostealer. Extracted data included IPMsg chat logs, fake identities, and browser history.<\/p>\n

Digging through the IPMsg logs revealed this site being discussed:
\nluckyguys[.]site<\/p>\n

An internal payment remittance platform,\u2026 pic.twitter.com\/0rA1CxSmZx<\/a><\/p>\n

\u2014 ZachXBT (@zachxbt) April 8, 2026<\/a><\/p>\n<\/blockquote>\n

The thread walks through how DPRK IT agents, often posing as freelancers abroad, are allegedly getting paid in crypto and funneled back into regime\u2011linked channels.<\/p>\n

A Breakdown Of The Findings<\/p>\n

The website that surfaced from the data extraction was called luckyguys.site. According to the crypto detective, it appeared to function as an internal payment remittance hub: a Discord\u2011like messaging platform where DPRK IT operatives reported and reconciled their crypto payments with superiors.<\/p>\n

Believe it or not, the site\u2019s default login password was set to \u201c123456\u201d. At the moment of the data extraction, ten accounts were still using it unchanged.<\/p>\n

\"crypto,<\/p>\n

The account roster showed roles, Korean names, locations, and internal group codes that align with known North Korean IT worker structures. ZachXBT highlighted that three of the companies referenced in the data, Sobaeksu, Saenal, and Songkwang, are already subject to OFAC sanctions.<\/p>\n

The crypto investigator shared a video showing direct messages from one WebMsg account, \u201cRascal\u201d, with PC\u20111234 (the server admin account) that spell out payment transfers and the use of fake identities from December 2025 to April 2026. Every payment in these chats is routed and finalized via PC\u20111234. The logs also reference Hong Kong addresses for billing and delivery of goods, although whether those details are genuine still needs to be confirmed.<\/p>\n

\n

4\/ Here is one of the WebMsg users \u2018Rascal\u2019 and their DMs with PC-1234 detailing payment transfers and the use of fraudulent identities from December 2025 through April 2026.<\/p>\n

All payments are processed and confirmed through the server admin account: PC-1234.<\/p>\n

Addresses in Hong\u2026 pic.twitter.com\/akyjmTbL5J<\/a><\/p>\n

\u2014 ZachXBT (@zachxbt) April 8, 2026<\/a><\/p>\n<\/blockquote>\n

The findings only grow more interesting as the thread advances. Since late November 2025, more than $3.5 million has flowed into the payment wallets. The same remittance pattern shows up again and again: users either send crypto in directly from an exchange or service, or off\u2011ramp into fiat via Chinese bank accounts using platforms such as Payoneer.<\/p>\n

After that, PC\u20111234 acknowledges the incoming funds and hands over login credentials, which can be for different crypto exchanges or fintech payment apps, depending on the specific user.<\/p>\n

\n

5\/ Since late November 2025 $3.5M+ was received across the payment wallet addresses.<\/p>\n

The remittance pattern was consistent across users:<\/p>\n

Users transfer crypto originating from an exchange or service, or convert to fiat via Chinese bank accounts through platforms like Payoneer.\u2026 pic.twitter.com\/IhbqW3eKKI<\/a><\/p>\n

\u2014 ZachXBT (@zachxbt) April 8, 2026<\/a><\/p>\n<\/blockquote>\n

A Reconstruction Of The Network\u2019s Hierarchy<\/p>\n

The crypto detective reconstructed the network\u2019s entire organizational hierarchy using the full dataset and made an interactive version of this org chart.<\/a><\/p>\n

\"Crypto,<\/p>\n

When the investigator followed the internal payment wallets on\u2011chain, he found connections to several already\u2011attributed DPRK IT worker clusters. The Tron\u2011based wallet was frozen by Tether in December 2025<\/a>.<\/p>\n

Other interesting findings show that the compromised device, which belonged to someone called \u201cJerry\u201d, still had Astrill VPN in use, along with multiple fabricated identities being used to apply for jobs. Inside an internal Slack workspace, a user named \u201cNami\u201d shared a blog post about a deepfake job applicant linked to DPRK IT workers. One colleague asked if the story was about them, while another reminded the group they weren\u2019t allowed to post external links.<\/p>\n

\n

8\/ Jerry\u2019s compromised device shows usage of Astrill VPN and various fake personas applying for jobs.<\/p>\n

An internal Slack showed \u2018Nami\u2019 sharing a blog post about a DPRK IT worker deepfake job applicant. A second user asked if it was them, while a third noted they aren\u2019t allowed to\u2026 pic.twitter.com\/7ZdGbX91WT<\/a><\/p>\n

\u2014 ZachXBT (@zachxbt) April 8, 2026<\/a><\/p>\n<\/blockquote>\n

Jerry exchanged messages with another North Korean IT worker about plans to steal from a project, using a Nigerian proxy to target Arcano, a GalaChain game. If that attack was ever carried out or not is unclear.<\/p>\n

\n

9\/ Jerry actively discussed stealing from a project with another DPRK IT worker via Nigerian proxy targeting Arcano, a GalaChain game.<\/p>\n

However, it remains unclear if the attack later materialized. pic.twitter.com\/p9QQLHbB91<\/a><\/p>\n

\u2014 ZachXBT (@zachxbt) April 8, 2026<\/a><\/p>\n<\/blockquote>\n

The admin also distributed 43 Hex-Rays\/IDA Pro training materials to the group between November 2025 and February 2026. These sessions focused on disassembly, decompilation, both local and remote debugging, and a range of cybersecurity techniques. One link shared on November 20<\/a> was explicitly titled: \u201cusing-ida-debugger-to-unpack-an-hostile-pe-executable\u201d.<\/p>\n

Final Thoughts<\/p>\n

\"Crypto,<\/p>\n

ZachXBT concluded that this DPRK IT worker cluster appears relatively unsophisticated compared with outfits like AppleJeus and TraderTraitor, which run much tighter operations and pose a far greater systemic threat to the crypto industry. His earlier estimated that North Korean IT workers collectively pull in several million dollars a month is reinforced by this dataset.<\/p>\n

Today, the investigator posted an update explaining that the internal DPRK payment portal has been pulled offline following the publication of his findings. All of the data was fully captured and archived beforehand.<\/p>\n

\n

Update: The internal DPRK payment site has since been taken down after my post.<\/p>\n

However all data was archived in advance. pic.twitter.com\/9cRdopal5g<\/a><\/p>\n

\u2014 ZachXBT (@zachxbt) April 9, 2026<\/a><\/p>\n<\/blockquote>\n

Crypto is now deeply embedded in geopolitical shadow economies. On\u2011chain transparency cuts both ways for users and adversaries.<\/p>\n

It wouldn\u2019t be surprising if markets start to price higher compliance costs for CEXs and OTC desks, or if there is more friction for stablecoin flows in sanctioned regions. The North Korean saga surely raises the odds of more aggressive enforcement against cross\u2011border flows, privacy tools, and high\u2011risk venues.<\/p>\n

\"Bitcoin,<\/p>\n

Cover image from Perplexity. BTCUSDT chart from Tradingview.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Crypto detective ZachXBT uncovered an internal North Korean payment server tied to 390+ accounts, chat logs, and transaction histories. The DPRK Crypto-Infiltration Saga, Part III (From This Week Only) The North Korean secret crypto-agents saga continues. The hidden network of North Korea\u2013aligned crypto hackers have been slowly exposed on the social network X these past […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":0,"footnotes":""},"categories":[2],"tags":[3,4,5],"class_list":["post-80026","post","type-post","status-publish","format-standard","hentry","category-news","tag-crypto","tag-doge","tag-news"],"_links":{"self":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/80026","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=80026"}],"version-history":[{"count":0,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/80026\/revisions"}],"wp:attachment":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=80026"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=80026"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=80026"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}