Michaela
Summary: How did North Korean IT operatives infiltrate cryptocurrency projects?
According to blockchain investigator ZachXBT, five North Korean IT operatives used over 30 fake identities to secure developer roles. They relied on government IDs, purchased professional accounts, and used tools like AnyDesk and VPNs to mask their locations. The investigation also revealed detailed schedules, communications, and financial records showing how they coordinated and received payments.
Blockchain investigator ZachXBT has revealed a sophisticated operation in which five North Korean IT operatives allegedly used more than 30 fabricated identities to secure positions as developers within cryptocurrency projects.
“An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects,” the on-chain investigator wrote in an August 13 X post.
ZachXBT reported that the breach revealed a trove of data, including Google Drive files, Chrome browser profiles, and device screenshots. He noted that the group relied heavily on Google tools to manage schedules, tasks, and budgets, with most communications conducted in English.
Data obtained by the on-chain investigator included spreadsheets detailing the group’s operations and mindset, with weekly reports from 2025 offering a glimpse into their workflow. Another spreadsheet focused exclusively on expenses, revealing purchases of Social Security numbers, Upwork and LinkedIn accounts, phone numbers, AI service subscriptions, computer rentals, and VPN or proxy services.
ZachXBT’s investigation uncovered documents showing detailed meeting schedules for targeted cryptocurrency projects, along with step-by-step instructions for maintaining the false identity “Henry Zhang.” The materials indicate that the group used these tools to meet blockchain industry hiring standards and secure access to internal systems and codebases.
The data indicated that the operatives relied on AnyDesk software in combination with VPN services to mask their true locations, making it appear to employers as though they were based in different regions. Telegram chats recovered from the group further revealed discussions about secured job placements and payment logistics, including the sharing of ERC-20 wallet addresses used to receive their salaries.
The breach implicated the project’s chief technology officer and several developers, who were later confirmed to be North Korean IT operatives using falsified credentials.
Furthermore, ZachXBT linked a commonly used ERC-20 wallet address (0x78e1) to the $680,000 Favrr exploit in June 2025. The breach implicated the project’s chief technology officer and several developers, who were later confirmed to be North Korean IT operatives using falsified credentials.
Addressing questions about the operatives’ origins, ZachXBT noted that their activity could be traced to North Korea. Analysis of their search history revealed frequent use of Google Translate for Korean-language content, all conducted through a Russian IP address, providing further evidence of their background.
The revelation of this sophisticated scheme serves as a stark reminder of the evolving threats within the cryptocurrency industry, emphasizing the need for heightened vigilance and robust security measures across all blockchain projects.
Read More
- North Korean Hackers Hit Crypto Custodian — Is Decentralization the Safer Bet?
- North Korean Threat Actors Use NimDoor Malware to Target Apple Devices
- North Korea’s Lazarus Group Linked to New $3.2M Crypto Heist
Michaela has no crypto positions and does not hold any crypto assets. This article is provided for informational purposes only and should not be construed as financial advice. The Shib Magazine and The Shib Daily are the official media and publications of the Shiba Inu cryptocurrency project. Readers are encouraged to conduct their own research and consult with a qualified financial adviser before making any investment decisions.
