Crypto Investigator Exposes North Korea’s Secret $1 Million A Month Scheme

Crypto detective ZachXBT uncovered an internal North Korean payment server tied to 390+ accounts, chat logs, and transaction histories.

The extraction of the data was possible because one of this IT workers workers from the Democratic People’s Republic of Korea (DPRK) had his device infected with an infostealer (malware designed specifically to steal sensitive information). The malware exposed IPMsg chat logs, fabricated identities, and detailed browser activity.

2/ A DPRK IT worker had their device compromised via infostealer. Extracted data included IPMsg chat logs, fake identities, and browser history.

Digging through the IPMsg logs revealed this site being discussed: luckyguys[.]site

The thread walks through how DPRK IT agents, often posing as freelancers abroad, are allegedly getting paid in crypto and funneled back into regime‑linked channels.

The website that surfaced from the data extraction was called luckyguys.site. According to the crypto detective, it appeared to function as an internal payment remittance hub: a Discord‑like messaging platform where DPRK IT operatives reported and reconciled their crypto payments with superiors.

Believe it or not, the site’s default login password was set to “123456”. At the moment of the data extraction, ten accounts were still using it unchanged.

The account roster showed roles, Korean names, locations, and internal group codes that align with known North Korean IT worker structures. ZachXBT highlighted that three of the companies referenced in the data, Sobaeksu, Saenal, and Songkwang, are already subject to OFAC sanctions.

The crypto investigator shared a video showing direct messages from one WebMsg account, “Rascal”, with PC‑1234 (the server admin account) that spell out payment transfers and the use of fake identities from December 2025 to April 2026. Every payment in these chats is routed and finalized via PC‑1234. The logs also reference Hong Kong addresses for billing and delivery of goods, although whether those details are genuine still needs to be confirmed.

4/ Here is one of the WebMsg users ‘Rascal’ and their DMs with PC-1234 detailing payment transfers and the use of fraudulent identities from December 2025 through April 2026.

All payments are processed and confirmed through the server admin account: PC-1234.

The findings only grow more interesting as the thread advances. Since late November 2025, more than $3.5 million has flowed into the payment wallets. The same remittance pattern shows up again and again: users either send crypto in directly from an exchange or service, or off‑ramp into fiat via Chinese bank accounts using platforms such as Payoneer.

After that, PC‑1234 acknowledges the incoming funds and hands over login credentials, which can be for different crypto exchanges or fintech payment apps, depending on the specific user.

5/ Since late November 2025 $3.5M+ was received across the payment wallet addresses.

The remittance pattern was consistent across users:

Other interesting findings show that the compromised device, which belonged to someone called “Jerry”, still had Astrill VPN in use, along with multiple fabricated identities being used to apply for jobs. Inside an internal Slack workspace, a user named “Nami” shared a blog post about a deepfake job applicant linked to DPRK IT workers. One colleague asked if the story was about them, while another reminded the group they weren’t allowed to post external links.

8/ Jerry’s compromised device shows usage of Astrill VPN and various fake personas applying for jobs.

Jerry exchanged messages with another North Korean IT worker about plans to steal from a project, using a Nigerian proxy to target Arcano, a GalaChain game. If that attack was ever carried out or not is unclear.

9/ Jerry actively discussed stealing from a project with another DPRK IT worker via Nigerian proxy targeting Arcano, a GalaChain game.

ZachXBT concluded that this DPRK IT worker cluster appears relatively unsophisticated compared with outfits like AppleJeus and TraderTraitor, which run much tighter operations and pose a far greater systemic threat to the crypto industry. His earlier estimated that North Korean IT workers collectively pull in several million dollars a month is reinforced by this dataset.

Today, the investigator posted an update explaining that the internal DPRK payment portal has been pulled offline following the publication of his findings. All of the data was fully captured and archived beforehand.

Update: The internal DPRK payment site has since been taken down after my post.

Crypto is now deeply embedded in geopolitical shadow economies. On‑chain transparency cuts both ways for users and adversaries.

It wouldn’t be surprising if markets start to price higher compliance costs for CEXs and OTC desks, or if there is more friction for stablecoin flows in sanctioned regions. The North Korean saga surely raises the odds of more aggressive enforcement against cross‑border flows, privacy tools, and high‑risk venues.

Cover image from Perplexity. BTCUSDT chart from Tradingview.