ZachXBT, an Onchain investigator, asserts that he has identified a network of North Korean devs developing numerous crypto projects.
ZachXBT, a blockchain investigator, has discovered evidence of a sophisticated network of North Korean developers who earn as much as $500,000 per month by working for “established” crypto projects.
ZachXBT, in an Aug. 15 post on X, informed his 618,000 followers that he believes a “single entity in Asia,” likely operating out of North Korea, is receiving $300,000 to $500,000 per month and employing at least 21 workers to contribute to over 25 crypto initiatives.
ZachXBT stated that a team recently contacted him for assistance after malicious code was released, resulting in the theft of $1.3M from the treasury.
“Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities.”
ZachXBT claims that the most recent $1.3 million stolen by DPRK laborers was laundered through a series of transactions, which include transferring to a theft address and culminating in 16.5 Ether being sent to two distinct exchanges.
ZachXBT believes these developers are a component of a much more extensive network following a more thorough investigation.
He discovered a cluster of developers who had received “$375,000 over the last month” and had previously transacted a total of $5.5 million. This money was transferred to an exchange deposit address between July 2023 and some point in 2024. He was able to track multiple payment addresses.
These payments were subsequently associated with IT workers in North Korea and an individual named Sim Hyon Sop, who has been sanctioned by the Office of Foreign Assets Control (OFAC) for purportedly coordinating financial transfers that ultimately benefited North Korea’s weapons programs.
According to ZachXBT, his investigation revealed that additional payment addresses were closely associated with Sang Man Kim, an OFAC-sanctioned individual who has previously been associated with DPRK-related cybercrime.
US law enforcement suspects that Kim is “complicit in the payment of salaries to family members of Chinyong’s overseas DPRK worker delegations” and has received $2 million in cryptocurrency for the sale of IT equipment to DPRK-affiliated teams in China and Russia.
Additionally, ZachXBT discovered instances of Russian Telecom IP overlaps among developers who claimed to be in Malaysia and the United States. “At least one of the employees inadvertently disclosed their other identities on a notepad.”
Sometimes, the developers he encountered were employed by recruitment agencies and referred one another for employment.
ZachXBT stated, “It is not fair to single out these developers as the ones to blame, as several experienced teams have hired them.”
“Shortly after posting another project found out they had hired one of the DPRK IT worker (Naoki Murano) listed in my table and shared my post in their chat. Immediately within two minutes, Naoki left the chat and wiped his GitHub.”
More than a few cyber attacks and other schemes are suspected to have been perpetrated by organizations associated with the Democratic People’s Republic of Korea (DPRK). It typically employs phishing, software defect exploits, cyber intrusions, private key exploits, and in-person infiltration as its cybercrime modus operandi. Some individuals are believed also to perform these tasks to earn a salary that is subsequently sent back to their home country.
The US Departments of Justice, State, and Treasury issued a joint advisory warning in 2022 regarding the influx of North Korean workers into various freelance tech positions, particularly in the crypto sector.
The Lazarus Group, arguably the most notorious group associated with the hermit kingdom, allegedly stole more than $3 billion in crypto assets in the six years preceding 2023.
