The way North Korea funds itself has evolved considerably since the days of state-sponsored bank heists and sanctions evasion through front companies.
A new investigation by blockchain sleuth ZachXBT, published Wednesday on X, pulls back the curtain on a quieter but remarkably persistent side of that funding, one built on fake LinkedIn profiles, forged passports, and remote tech jobs.
ZachXBT obtained the data from an unnamed source who shared information exfiltrated from an internal North Korean payment server. The dataset included 390 user accounts, detailed chat logs, and full cryptocurrency transaction records, none of which had ever been publicly released before.
Discord clone called luckyguys.site
At the center of the operation was luckyguys[.]site, a self-hosted messaging platform built to resemble Discord. DPRK IT workers used it exclusively to report and confirm remittances to their handlers. The platform’s security posture was, to put it charitably, minimal.
At least ten users kept the default password 123456 unchanged. The system listed users with roles, Korean names, cities, and coded group names consistent with known DPRK IT worker structures.
Three entities appearing in the records, Sobaeksu, Saenal, and Songkwang, are already designated by the US Treasury’s Office of Foreign Assets Control. All financial movements were centrally routed through the admin account PC-1234, which issued temporary login credentials for crypto exchanges and fintech platforms on a per-user basis.
The money flow itself was methodical. Workers typically sent crypto from exchanges or other services, then converted those funds into cash through Chinese bank accounts or platforms such as Payoneer. A central admin account confirmed payments and shared account details for different platforms.
Since late November 2025, the system has handled more than $3.5 million in crypto payments, averaging roughly $1 million per month. Blockchain tracing linked wallet activity to known DPRK clusters, with one Tron address frozen by Tether in December 2025.
The breach itself originated from one of the workers. A compromised device belonging to a worker identified as “Jerry,” infected by infostealer malware, showed usage of Astrill VPN and multiple fake personas applying for jobs.
Jerry, it turns out, had also been applying for software engineering positions through Indeed, including an unsent email for a WordPress content role at a Texas T-shirt company seeking $30 an hour for 15 to 20 hours a week. Internal chats also referenced a planned theft attempt from the GalaChain game Arcano using a Nigerian proxy.
Another user, “Rascal,” had direct message logs with PC-1234 detailing payment transfers and the use of fraudulent identities from December 2025 through April 2026. Hong Kong addresses appeared in billing records, though their authenticity could not be confirmed. “Rascal” also shared pictures of a billing statement using a fake name and a fake address, along with what appeared to be an Irish passport.
Between November 2025 and February 2026, the group’s admin distributed 43 Hex-Rays and IDA Pro training modules covering disassembly, decompilation, debugging, and hostile executable unpacking techniques, pointing to capabilities well beyond basic financial fraud. One of those training links, shared in November, specifically explained how to use an IDA debugger to unpack malicious software.
The luckyguys[.]site domain was taken offline shortly after ZachXBT published his thread on April 8, although the complete dataset had already been archived.
Crypto’s DPRK problem is bigger than one network
ZachXBT was careful to contextualize where this network sits in the broader North Korean threat space. He noted that this group appeared less sophisticated compared to better-known ones such as Lazarus Group, AppleJeus, and TraderTraitor, which are more efficient and present greater risks to the industry. In other words, this is a lower-tier operation, and it’s still pulling seven figures a month.
That framing matters because it suggests the scale of what the higher-tier groups are generating. In 2025, DPRK-linked groups stole at least $2.02 billion in cryptocurrency, a 51 percent increase from 2024, accounting for roughly 60 percent of the $3.4 billion stolen globally. Estimated total crypto theft by North Korean actors now stands at $6.75 billion.
The week’s disclosures didn’t stop with the payment server data. Just a day earlier, ZachXBT had separately flagged that a Solana-based DeFi project, ElementalDeFi, had a North Korean IT worker on its payroll for years. That revelation sent ripples through adjacent projects. Stabble, a Solana DEX, issued an emergency announcement urging liquidity providers to withdraw funds immediately following ZachXBT’s post about ElementalDeFi.
MetaMask developer Taylor Monahan and others have warned that North Korean-linked developers have been contributing code to DeFi protocols “all the way back to DeFi summer,” sometimes presenting seven years of apparent blockchain experience. The resumes are not fake in every dimension, the experience is real, the skills are real, and the code they write often works. That’s what makes detection so difficult.
ZachXBT has said that the tactics themselves are not particularly sophisticated. “Threats via job postings, LinkedIn, email, Zoom, or interviews are basic and in no way sophisticated, the only thing about it is they’re relentless,” he said. Relentless, organized, and, based on this week’s data, still largely operating without meaningful disruption.