W3BStation
Markets
BTC $96,420 +2.34% ETH $3,280 +1.82% SOL $185.40 -0.92% BNB $642.50 +0.45% XRP $2.18 +3.12% DOGE $0.082 -1.50% ADA $1.05 +0.80% AVAX $42.10 +1.15%
BTC $96,420 +2.34% ETH $3,280 +1.82% SOL $185.40 -0.92% BNB $642.50 +0.45% XRP $2.18 +3.12% DOGE $0.082 -1.50% ADA $1.05 +0.80% AVAX $42.10 +1.15%
08/15/2024

ZachXBT Identifies 21 North Korean Developers Earning $500,000 Per Month

Blockchain investigator ZachXBT claims to have uncovered a sophisticated network of North Korean developers earning up to $500,000 per month while working for "established" crypto projects. In an X post on August 15, ZachXBT told his 618,000 followers that he believes a "single entity in Asia," most likely operating out of North Korea, is pulling in between $300,000 and $500,000 per month by placing at least 21 workers across more than 25 crypto pro

ZachXBT Identifies 21 North Korean Developers Earning $500,000 Per Month

Blockchain investigator ZachXBT claims to have uncovered a sophisticated network of North Korean developers earning up to $500,000 per month while working for "established" crypto projects.

In an X post on August 15, ZachXBT told his 618,000 followers that he believes a "single entity in Asia," most likely operating out of North Korea, is pulling in between $300,000 and $500,000 per month by placing at least 21 workers across more than 25 crypto projects.

"A team recently reached out to me requesting assistance after $1.3 million was stolen from their treasury following the installation of malware," ZachXBT said.

"Unbeknownst to the team, they had hired multiple DPRK IT workers as developers, who had been using fake identities."

ZachXBT alleges that the $1.3 million recently stolen by the DPRK workers was laundered through a chain of transactions, including transfers to a theft address, ultimately ending with 16.5 Ether (ETH) sent to two different exchanges.

After digging further into these developers, ZachXBT believes they are part of a much larger network.

By tracing multiple payment addresses, he found a cluster of developers that had received "375,000 USD in the past month," with prior transactions totaling $5.5 million flowing into an exchange deposit address from July 2023 through some point in 2024.

Those payments were then linked to North Korean IT workers and an individual named Sim Hyon Sop — who was sanctioned by the Office of Foreign Assets Control (OFAC) for allegedly coordinating financial transactions that ultimately supported North Korea's weapons programs.

ZachXBT said his investigation also uncovered other payment addresses closely tied to a second OFAC-sanctioned individual, Sang Man Kim, who had previously been implicated in DPRK-related cybercrime.

U.S. law enforcement believes Kim "was involved in paying salaries to family members of overseas DPRK worker teams" and received $2 million in crypto for selling IT equipment to DPRK-affiliated groups in China and Russia.

ZachXBT also found overlapping IP addresses from Russian telecom providers among developers who claimed to be working in the United States and Malaysia. At least one of the workers "accidentally revealed their other identities on a note-taking app."

Some of the developers he identified had even been referred by recruiting firms, and in several cases they referred one another for jobs.

"Many experienced teams have hired these developers, so it isn't fair to solely blame them," ZachXBT said.

"Shortly after posting, another project discovered they had hired one of the DPRK IT workers (Naoki Murano) listed in my spreadsheet and shared my post in their team chat. Within two minutes, Naoki left the chat and deleted his GitHub."

Organizations linked to the Democratic People's Republic of Korea (DPRK) are believed to be behind numerous cyberattacks and other schemes over the years. Their criminal methods typically include phishing, software vulnerability exploitation, network intrusion, private key compromise, and direct infiltration. Some individuals also take legitimate-looking jobs for a salary, then remit their earnings back to the country.

In 2022, the U.S. Departments of Justice, State, and Treasury issued a joint advisory warning about the growing number of North Korean workers taking remote tech jobs, particularly in the crypto sector.

Perhaps most notably, the Lazarus Group — the regime's most infamous hacking outfit — is believed to have stolen more than $3 billion in crypto assets in the six years leading up to 2023.