Blockchain detective ZachXBT has once again exposed the darker side of the crypto world with his latest investigation of a North Korean laundering chain.
A data leak from inside a North Korean IT operation that quietly took in roughly $1 million per month by posing as freelance developers and laundering the proceeds.
Data leak reveals how the network really works
The documents, obtained from a compromised device belonging to one of the workers, paint a rare insider picture of how these state-linked teams operate. Since late November 2025, more than $3.5 million flowed through the network’s wallets.
The breach came via an infostealer malware, a malicious software designed to steal information from a device. that hit one of the workers’ machines, handing over chat logs, fake IDs, browser history, and records from an internal payment server containing around 390 accounts.
The all-in-all internal system for the launderers
Investigators traced activity to a site called luckyguys[.]site. An internal platform to keep logs of everything, acted as a remittance tracker and messaging hub. Workers logged their earnings, reported deposits to handlers, and received instructions.
A website with very poor security, at least ten accounts used the default password “123456”. The site even featured a leaderboard showing how much business each worker had done since December 8, 2025. It is even linked to on-chain transactions, meaning the payments could be viewed publicly on a crypto ledger.
Off-ramp and payment handling
The scheme followed a simple but effective laundering path. Crypto arrived from exchanges or other services, then got converted to fiat and funneled into Chinese bank accounts through platforms like Payoneer.
An admin account nicknamed PC-1234 would confirm receipts and hand out login credentials for various fintech tools.
Some of the users on the platform were tied to three companies already blacklisted by the U.S. Office of Foreign Assets Control: Sobaeksu, Saenal, and Songkwang. These entities have long been flagged as fronts for North Korea’s overseas IT worker programs.
The leaks also exposed the human side of the fraud. A worker, managing under multiple fake identities, submitted applications for remote developer positions. He employed an Astrill VPN to mask his actual location.
The team’s technical skills were, frankly, impressive. Between November 2025 and February 2026, the administrator rolled out a set of 43 training modules. These sessions focused on IDA Pro and Hex-Rays, software commonly used for reverse engineering, debugging, and disassembly.
Chat logs showed 33 workers communicating simultaneously on IPMsg, and there were scattered discussions about targeting specific projects, including a potential play on a GalaChain game called Arcano via a Nigerian proxy. Whether those plans went anywhere remains unclear.
ZachXBT noted that this particular chain appears less complicated than heavyweight DPRK hacking outfits like the Lazarus Group. Instead of flashy smart contract exploits, they leaned heavily on identity fraud and off-ramping crypto through everyday financial services. Still, the numbers add up: the investigator pointed out that North Korean IT workers as a whole are pulling in multiple seven figures monthly, and this dataset backs that up.
For years, researchers have warned that thousands of North Korean IT workers are dispatched abroad or operate remotely, using forged documents to land freelance and full-time tech jobs. A chunk of that revenue flows straight back to the regime, helping it dodge sanctions and fund other priorities.
This latest leak offers something rarer: a look at the internal plumbing. It highlights how even basic operational sloppiness (weak passwords, shared platforms) can expose these networks when one device gets compromised.
