Crypto investigator ZachXBT has published a trove of leaked data that appears to expose an internal North Korea–linked crypto payment hub, tying together more than 390 accounts, chat logs and transaction histories — and offering a rare window into how DPRK IT operatives allegedly move and reconcile crypto payments.
The disclosure comes amid a string of recent revelations about North Korea’s crypto activity, including the April 1 $285 million Drift Protocol exploit attributed to UNC4736 and researcher Taylor Monahan’s claim that DPRK IT workers have quietly worked inside 40+ DeFi projects over roughly seven years. Multiple industry participants have also been posting examples of DPRK operatives posing as overseas freelancers.
What ZachXBT found
- Source and method: An anonymous source provided data that had been exfiltrated after a DPRK IT worker’s device was infected by an infostealer. Extracted artifacts included IPMsg chat logs, fake identities, browser history and internal files.
- The portal: Logs reference a site called luckyguys.site — described as an internal remittance/messaging platform where operatives report and reconcile crypto payments with superiors. The site reportedly functioned like a Discord-style workspace for payments.
- Security lapses: The site’s default login password was “123456”; at the time of extraction ten accounts still used it.
- Accounts and ties: The roster exposed roles, Korean names, locations and internal group codes consistent with known DPRK IT worker structures. Three companies named in the dataset — Sobaeksu, Saenal and Songkwang — are already sanctioned by OFAC.
- Admin node PC-1234: Direct messages from a WebMsg user “Rascal” to the server admin account PC-1234 (Dec 2025–Apr 2026) show payment transfers and use of fabricated identities. All payments in the logs are routed and finalized via PC-1234. Some billing/delivery lines reference Hong Kong addresses (unconfirmed).
- Money flows: Since late November 2025, ZachXBT says more than $3.5 million has moved into the payment wallets tied to the portal. The remittance pattern repeats: users send crypto from exchanges or off‑ramp into fiat via Chinese bank accounts and services like Payoneer; the admin confirms funds and hands over exchange/payment app login credentials.
- On‑chain links: Tracing the wallets shows connections to previously attributed DPRK IT worker clusters. One Tron-based wallet was reportedly frozen by Tether in December 2025.
- Operational details: The compromised device (user “Jerry”) showed Astrill VPN use and multiple fake personas used to apply for jobs. Internal Slack logs include a post about a deepfake job applicant and a discussion in which colleagues questioned whether they were the subject. Jerry also allegedly discussed a planned theft using a Nigerian proxy to target Arcano (a GalaChain game) — whether that operation proceeded is unknown.
- Training materials: The admin distributed 43 Hex-Rays/IDA Pro training items (Nov 2025–Feb 2026) covering disassembly, decompilation and debugging — including a file explicitly titled “using-ida-debugger-to-unpack-an-hostile-pe-executable.”
- Assessment: ZachXBT judges this DPRK IT cluster as relatively unsophisticated compared with higher‑grade operations like AppleJeus and TraderTraitor, though the dataset reinforces prior estimates that DPRK IT workers collectively net several million dollars per month.
Aftermath
ZachXBT says the internal payment portal was taken offline after his post, but all the data was archived beforehand. The leak amplifies growing evidence that crypto tools and rails are deeply embedded in geopolitical shadow economies — and that on‑chain transparency can help investigators trace those flows.
Market and policy implications
The exposure may prompt exchanges, OTC desks and stablecoin issuers to tighten compliance and screening for high‑risk flows. Expect potential increases in due diligence, frictions for stablecoin and cross‑border remittances in sanctioned regions, and renewed regulatory attention on privacy tools and venues that facilitate high‑risk transfers.
Context image credits: Perplexity; BTCUSDT chart: TradingView.
Read more AI-generated news on: undefined/news
