Cointime

Cointime

Download App
iOS & Android

Counterhacker exposes DPRK unit that made $1M a month working IT jobs

A group of North Korean IT workers made more than $3.5 million in just a few months by faking their identities to work as developers while also attempting to hack crypto projects, according to documents obtained by a hacker who compromised one of their devices.

The leaked data obtained by the unnamed hacker was shared by blockchain sleuth ZachXBT in a post to X on Wednesday. It revealed that one of the IT workers, “Jerry,” and a team of 140 members were making roughly $1 million a month, amounting to $3.5 million worth of crypto since late November.

The North Korean IT workers coordinated payments on a website called “luckyguys.site” using a shared password, “123456,” ZachXBT said, adding that some of the users on that platform appeared to work for Sobaeksu, Saenal and Songkwang, which are sanctioned by the US Office of Foreign Assets Control.

These crypto payments were converted into fiat and sent to Chinese bank accounts via online payment platforms like Payoneer. Tracing these wallet addresses also revealed links to other known North Korean wallets that were blacklisted by Tether in December, ZachXBT said.

Bad actors from North Korea and other countries continue to threaten the crypto industry with increasingly sophisticated tactics for carrying out hacks and scams. 

North Korean state-backed workers have stolen over $7 billion in funds since 2009, with a large share of that coming from crypto projects. The $1.4 billion hack of crypto exchange Bybit and the $625 million Ronin bridge hack are among its most notable attacks.

North Korean hackers were also blamed for the $280 million hack of the Drift Protocol on April 1. 

North Korean IT workers had a leaderboard

The North Korean IT workers who had their data exposed had a leaderboard showing how much crypto each IT worker had brought in for the organization since Dec. 8, with links to blockchain explorer pages showing transaction details.

  Tables showing how much crypto each IT worker has brought in for North Korea since Dec. 8. Source: ZachXBT


Another screenshot shared by ZachXBT showed that Jerry used an Astrill virtual private network to access Gmail, where he submitted several applications for full-stack developer and software engineer roles on Indeed.

In an unsent email, Jerry wrote a letter for a WordPress content and search engine optimization specialist position at a T-shirt company in Texas, seeking $30 an hour with availability of 15 to 20 hours a week.

  Screenshot of Jerry’s email receipts of submitted job applications. Source: ZachXBT


Identification documents were falsified, too, with one of the IT workers, “Rascal,” sharing pictures of a billing statement using a fake name and fake address in Hong Kong. 

Rascal also shared a picture of an Irish passport, though it is not clear if it was used.

ZachXBT however said these IT workers were less sophisticated compared to other North Korean groups like AppleJeus and TraderTraitor, which “operate far more efficiently and present the greatest risks to the industry.”

Comments

All Comments

Recommended for you

  • Trump: Bombs Will Explode if Ceasefire Agreement Expires

    On April 20, according to PBS, U.S. President Trump stated on Monday that if the ceasefire agreement with Iran expires on Tuesday, there will be a large number of bombs exploding. Trump made this remark during a call with White House reporter Liz Landers, focusing on the issue of the Iran war, while a U.S. delegation was preparing for further peace negotiations. When asked whether Iran would still participate in the talks scheduled to take place in Islamabad, Trump replied, "I don't know. I mean, they should show up. It's arranged. We'll see if they come. If they don't, that's fine too." When asked about his expectations for the negotiations, Trump stated, "Very simple, Iran absolutely cannot have nuclear weapons."

  • U.S. Vice President Vance and Delegation to Arrive in Islamabad Today

    On April 20, according to the New York Post: U.S. Vice President Vance and the American delegation will arrive in Islamabad today.

  • BitMine Increases ETH Holdings by Over 100,000, Total Holdings Exceed 4.97 Million ETH

    As of April 19, Eastern Time, BitMine's total cryptocurrency and cash holdings, including the 'Moon Landing Plan,' amount to $12.9 billion. BitMine holds 4,976,485 ETH (an increase of 101,627 ETH from last week), which represents 4.12% of the total Ethereum supply of 120.7 million ETH. Additionally, it holds 199 BTC, shares in Beast Industries worth $200 million, $107 million in Eightco Holdings (NASDAQ: ORBS), and $1.12 billion in unsecured cash. As of April 20, 2026, the total amount of staked ETH by BitMine is 3,334,637 ETH, valued at $7.7 billion based on a price of $2,301 per ETH.

  • Strategy Acquires 34,164 Bitcoins for $2.54 Billion Last Week

    On April 20, Strategy purchased 34,164 Bitcoins last week for a total of approximately $2.54 billion, at a unit price of about $74,395, achieving a 9.5% return on Bitcoin from 2026 to date. As of April 19, 2026, Strategy holds a total of 815,061 Bitcoins, valued at approximately $61.56 billion, with a unit price of about $75,527.

  • Binance Wallet to Launch 46th TGE Project OpenGradient (OPG)

    On April 20, Binance Wallet will launch the 46th exclusive TGE project OpenGradient (OPG). The subscription period is from April 21, 17:00 to 19:00 (UTC+8), and users must participate using Binance Alpha Points and meet the corresponding qualifications. According to the official announcement, OPG tokens will be available for collection and trading starting at 19:00 (UTC+8) on the same day. Additionally, 23,000,000 OPG tokens are reserved for future activities, with specific rules to be announced later.

  • CoinShares: $1.4 Billion Inflows into Digital Asset Investment Products Last Week

    On April 20, CoinShares reported that inflows into digital asset investment products reached $1.4 billion last week, marking the highest weekly inflow since January and achieving positive growth for the third consecutive week. Bitcoin saw inflows of $1.116 billion, bringing the total inflows for the year to $3.1 billion. The price of Bitcoin has surpassed the $76,000 mark, indicating a significant technical breakthrough after two months of range-bound trading. In contrast, inflows into Bitcoin short products were only $1.4 million, suggesting that while there is still hedging demand, it remains limited. Ethereum attracted $328 million in inflows, the strongest week since January, bringing its total inflows for the year to $197 million, while XRP and Solana recorded outflows of $56 million and $2.3 million, respectively.

  • Sources: Bank of Japan Unlikely to Raise Interest Rates in April Meeting

    On April 20, sources familiar with the Bank of Japan's thinking revealed that the central bank is unlikely to raise interest rates next week. The diminishing hope for a swift end to the Middle East conflict has left Japan's economic and price outlook fraught with uncertainty. Although the final decision still carries some uncertainty and will depend on the progress of peace negotiations between the U.S. and Iran, the sources indicated that the bank prefers to maintain the status quo this month to allow more time to assess the impact of the conflict. One source stated, 'Given the current level of uncertainty, the Bank of Japan may consider it feasible to hold steady this month.' Another source echoed this sentiment. A third source noted that the Bank of Japan is unlikely to raise rates, as the market has already fully priced in the possibility of no rate hike this month. These sources mentioned that even if the Bank of Japan keeps rates unchanged next week, it is likely to signal readiness to raise rates as early as June, given the escalating inflationary pressures.

  • Hong Kong SFC Announces New Regulatory Framework for Trading Tokenized Investment Products in Secondary Market

    On April 20, the Hong Kong Securities and Futures Commission (SFC) announced a new regulatory framework to promote the trading of tokenized investment products recognized by the SFC in the secondary market, aiming to enhance digital asset trading activities in Hong Kong and support the further development of the ecosystem. The first batch of products is expected to primarily consist of tokenized money market funds. The SFC will review the operation of these products and will consider expanding the range of products in due course.

  • Stephen Katte ·

    Hackers impersonated eth.limo team to hijack its domain: Post-mortem

    EasyDNS CEO Mark Jeftovic said the social engineering attack was highly sophisticated and the company is conducting further investigation to determine how the breach occurred.

    Hackers impersonated eth.limo team to hijack its domain: Post-mortem
  • Stephen Katte ·

    Saylor teases 'bigger' BTC buy days after floating semi-monthly dividends

    Strategy’s Michael Saylor posted “Think Even Bigger” on Sunday, coming just a week after it disclosed $1 billion of Bitcoin buying.

    Saylor teases 'bigger' BTC buy days after floating semi-monthly dividends

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company