Blockchain investigator ZachXBT has uncovered what he claims is a North Korean-linked IT worker network generating roughly $1 million per month through crypto-linked payments and fraudulent employment schemes.
In a detailed thread on X, the onchain sleuth said the findings stem from data exfiltrated from an internal payment server tied to 390 accounts.
The data cache also includes chat logs, wallet activity, and identity records that had not previously been made public, the crypto detective said.
According to ZachXBT’s analysis, what appears to be a structured operation that relies on forged personas, fake documents, and a well-coordinated payment flow has pulled in north of $3.5 million since last November.
An internal remittance platform resembling a messaging service is at the center of the system, he said. Workers use the tool to report earnings and receive payment instructions from a central administrator account.
Then, funds were usually routed through cryptocurrency transactions before being converted to fiat using Chinese bank accounts or platforms like Payoneer.
ZachXBT linked several payment addresses to known clusters associated with North Korean IT worker activity. One Tron address connected to the network was frozen by Tether in December, he said.
Moreover, the data revealed operational details like VPNs to mask locations, job applications filed under fake identities, and even internal communications between at least dozens of workers.
In one instance, a compromised device showed discussions about targeting a crypto gaming project. It remains unclear whether the attack was executed.
Notably, the group appeared less sophisticated than higher-profile DPRK-linked operations such as Lazarus.
However, ZachXBT said the revenue profile aligns with prior estimates that North Korean IT worker schemes generate multiple seven figures per month.
The findings add to a broader trend of North Korea-linked activity across crypto and cyberspace, diversifying beyond high-profile hacks into labor, fraud, and payment networks.
In recent weeks, a Solana-based project known as Stabble urged liquidity providers to withdraw funds after identifying a former North Korean employee. Drift protocol also tied a $280 million exploit to a months-long social engineering campaign attributed to suspected DPRK actors.
Meanwhile, U.S. authorities have also sanctioned facilitators connected to an $800 million crypto-linked scheme, underscoring the scale of activity tied to the country’s cyber operations.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.