A hacker compromised a device belonging to a North Korean IT operative and accessed internal documents for an entire unit. Blockchain sleuth ZachXBT published the leaked data on X on Wednesday. The materials exposed a 140-member operation that generated $3.5 million in under four months.
Leaderboard and a password of "123456"
One leader, known as "Jerry", ran the operation through a site called luckyguys.site. The server kept a leaderboard tracking how much crypto each participant had brought in since December 8. Every entry included links to blockchain explorer pages showing transaction details.
Members used an Astrill VPN and Gmail accounts to submit job applications. They registered on Indeed as full-stack developers and software engineers. Payments flowed through Payoneer and were forwarded to Chinese bank accounts.
Wallets, sanctions and Tether
Some of the wallets used for payouts overlap with addresses blocked by Tether in December 2025. ZachXBT noted that several luckyguys.site accounts are tied to Sobaeksu, Saenal, and Songkwang - all three sanctioned by the US OFAC.
Total earnings from November 2025 through the breach came to $3.5 million. The roughly $1 million monthly pace held throughout the tracked period.
DPRK and crypto: $7 billion since 2009
North Korea has been stealing crypto since 2009. Total estimated theft exceeds $7 billion. Among the largest attacks: the Bybit hack at $1.4 billion and the Ronin Bridge hack at $625 million. DPRK hackers also drew suspicion in the Drift Protocol case - $280 million in April 2026.
IT fraud is quieter than direct hacks. But more consistent. A fake programmer does not need complex attack infrastructure. A convincing resume and a VPN will do.
What the server breach revealed
The compromised server exposed participant names, individual account balances, and transaction hashes. This data can serve as evidence for OFAC enforcement and compliance teams at crypto firms.
For platforms hiring freelancers, the takeaway is direct: email and resume KYC is no longer enough. DPRK groups adapt, and the IT front is proving as profitable for them as large-scale hacks.
Comments
Your email address will not be published. Required fields are marked *