Blockchain investigator ZachXBT says he’s uncovered evidence of a sophisticated network of North Korean developers that earn as much as $500,000 a month working for “established” crypto projects.
In an Aug. 15 post on X, ZachXBT informed his 618,000 followers he believes a “single entity in Asia,” likely operating out of North Korea, is receiving $300,000 to $500,000 per month employing at least 21 workers to over 25 crypto projects.
“Recently a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed,” ZachXBT said.
“Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities.”
ZachXBT alleges that the latest $1.3 million stolen by DPRK workers was laundered through a sequence of transactions, including transferring to a theft address and ending with 16.5 Ether (ETH) going to two different exchanges.
After further investigation into these devs, ZachXBT believes they are part of a much more extensive network.
Tracking multiple payment addresses, he found a cluster of developers receiving “$375,000 over the last month,” and previous transactions totaling $5.5 million, which flowed into an exchange deposit address from July 2023 to some time in 2024.
Related: ZachXBT flags Lazarus-linked addresses worth $61M
These payments were then linked to IT workers in North Korea, and an individual Sim Hyon Sop — who has been sanctioned by the Office of Foreign Assets Control (OFAC) for allegedly coordinating financial transfers that eventually ended up supporting North Korea’s weapons programs.
ZachXBT says his investigation uncovered other payment addresses were closely linked to another OFAC-sanctioned individual, Sang Man Kim, who has been linked to DPRK-related cybercrime in the past.
US law enforcement believes Kim is “involved in the payment of salaries to family members of Chinyong’s overseas DPRK worker delegations” and receiving $2 million in crypto for selling IT equipment to DPRK-affiliated teams in China and Russia.
ZachXBT also found instances of Russian Telecom IP overlaps among developers who claimed to be based in the United States and Malaysia. At least one of the workers “accidentally leaked their other identities on a notepad.”
Some of the devs he found were even placed by recruitment companies and in some cases, referred each other for work.
“A number of experienced teams have hired these devs so it’s not fair to them single as the ones to blame,” ZachXBT said.
“Shortly after posting another project found out they had hired one of the DPRK IT worker (Naoki Murano) listed in my table and shared my post in their chat. Immediately within two minutes, Naoki left the chat and wiped his GitHub.”
Organizations linked to the Democratic People’s Republic of Korea (DPRK) are believed to be behind more than a few cyber attacks and other scams over the years. Its cybercrime modus operandi generally involves phishing, exploiting software flaws, cyber intrusions, private key exploits and in-person infiltration. It is understood some also work these jobs to generate a salary which is then sent back to the country.
In 2022, the US Departments of Justice, State and Treasury issued a joint advisory warning about the influx of North Korean workers into various freelance tech jobs, especially crypto.
Arguably, the most infamous group linked to the hermit kingdom, the Lazarus Group, reportedly stole over $3 billion in crypto assets in the six years leading up to 2023.
Magazine: AI may already use more power than Bitcoin — and it threatens Bitcoin mining