DPRK IT Network Breach Exposes $1M/Month Fraud Scheme

A recent investigation by blockchain analyst ZachXBT uncovered a large-scale internal breach tied to North Korean IT workers. The leaked data exposed a network of 390 accounts, chat logs, and crypto transactions.

Besides, the findings reveal a coordinated system that processed around $1M per month through fraudulent identities and financial deception. Consequently, the breach provides rare visibility into how these operations function behind the scenes.

ZachXBT reported that an unnamed source provided the data after compromising a device linked to a DPRK IT worker. The infection stemmed from an infostealer, which extracted IPMsg chat logs, browser history, and identity records.

Additionally, the logs revealed a platform called luckyguys[.]site, which acted as an internal communication hub. This system functioned like a private messaging service for reporting payments and coordinating activity.

Payment Infrastructure and Operational Flow

The data shows a structured payment pipeline that connects crypto flows to fiat conversion. Users transferred funds from exchanges or converted assets through Chinese bank accounts and fintech platforms like Payoneer. Hence, the network maintained steady liquidity across multiple channels.

Significantly, the internal server used a weak default password, 123456, across several accounts. This oversight exposed serious security gaps within the system.

The platform included user roles, Korean names, and location data, which aligned with known DPRK IT worker structures. Moreover, three companies tied to the network appeared on OFAC sanction lists, including Sobaeksu, Saenal, and Songkwang.

ZachXBT identified over $3.5M in transactions flowing into associated wallet addresses since late November 2025. The consistent pattern involved centralized confirmation by an admin account labeled PC-1234. This account validated payments and distributed credentials for exchanges and fintech platforms.

Additionally, one Tron wallet linked to the operation faced freezing by Tether in December 2025. This action highlighted increasing enforcement pressure on illicit crypto activity tied to state-backed groups.

Operational Depth and Training Activities

The breach also exposed internal discussions and training materials. An internal Slack channel showed 33 DPRK IT workers communicating simultaneously through IPMsg. Moreover, administrators distributed 43 training modules on tools such as IDA Pro and Hex-Rays.

These materials covered reverse engineering, debugging, and software exploitation techniques. Consequently, the group demonstrated structured training despite limited sophistication compared to advanced groups like AppleJeus or TraderTraitor. However, the scale of operations still generated significant revenue streams.

The leaked logs also referenced attempts to use fake identities and deepfake applications for job infiltration. Additionally, some conversations covered targeting gaming platforms and financial services.

Related: SBI Ripple Asia Has Completed Its Token Issuance Platform on $XRP Ledger (XRPL)