Cryip
  • Home
  • News
  • Research & Analysis
  • Reviews & Comparisons
  • Learn Crypto
  • Features
  • Events
No Result
View All Result
Cryip
  • Home
  • News
  • Research & Analysis
  • Reviews & Comparisons
  • Learn Crypto
  • Features
  • Events
No Result
View All Result
Cryip
No Result
View All Result
Home News Security & Hacks

ZachXBT Exposes DPRK Crypto Payment Network Processing $3.5M in Illicit Remittances

Leaked internal server data uncovers North Korea’s global IT worker network, exposing crypto remittance flows, laundering channels, operational hierarchy, and critical security weaknesses in state-linked financial operations.

Saravana Kumar Mahendran by Saravana Kumar Mahendran
April 9, 2026
in Security & Hacks
0 0
ZachXBT Exposes DPRK Crypto Payment

Source: Freepik Modified by Cryip

Share on FacebookShare on Twitter
MakeCryipCryippreferred onGoogle

Blockchain investigator ZachXBT has released a comprehensive forensic breakdown of data stolen from an internal North Korean payment server. The dataset, obtained from a compromised DPRK IT worker’s device via an unnamed source, includes 390 user accounts, detailed chat logs, and full cryptocurrency transaction records. The operation successfully processed more than $3.5 million in crypto inflows since late November 2025, funnelling funds through fraudulent identities and layered fiat conversion channels at an average rate of roughly $1 million per month.

ZachXBT Leaks Internal DPRK IT Payment Server
ZachXBT Leaks Internal DPRK IT Payment Server

Luckyguys.site: DPRK’s Internal Remittance Hub

The core of the operation was luckyguys[.]site, a self-hosted messaging platform built to resemble Discord. DPRK IT workers used it exclusively to report and confirm remittances to their handlers. The server operated with the default password 123456, which remained unchanged for at least ten accounts. User profiles contained Korean names, operational cities, assigned roles, and internal group codes consistent with known DPRK overseas IT worker structures.

ZachXBT
ZachXBT

Three entities appearing in the records, Sobaeksu, Saenal, and Songkwang, are already designated by the U.S. Treasury’s Office of Foreign Assets Control (OFAC). All financial movements were centrally routed through the admin account PC-1234, which issued temporary login credentials for crypto exchanges and fintech platforms on a per-user basis. Direct messages between user “Rascal” and PC-1234 from December 2025 to April 2026 explicitly discuss payment confirmations and the use of Hong Kong addresses for both billing and procurement of physical goods.

Remittance Mechanics and Fiat Off-Ramps

Workers typically received cryptocurrency payments directly from client exchanges or converted earnings into fiat using Chinese bank accounts and platforms such as Payoneer. The admin account PC-1234 would then verify receipt before issuing new credentials. ZachXBT published an interactive organizational chart mapping the complete hierarchy with per-user and per-group payment totals covering December 2025 to February 2026.

Fiat Off-Ramps
Fiat Off-Ramps

On-chain analysis connects the payment flows to previously identified DPRK IT worker clusters. The dataset also reveals systematic use of forged legal documents and multiple fabricated identities for securing remote freelance and full-time positions.

Technical Infrastructure and Operational Practices

Technical Infrastructure
Technical Infrastructure

Administrators distributed 43 Hex-Rays and IDA Pro training modules between November 2025 and February 2026, focusing on disassembly, decompilation, debugging, and hostile PE unpacking techniques. Devices compromised by infostealer malware showed consistent use of Astrill VPN, IPMsg, and internal Slack channels, with one captured log indicating 33 DPRK workers operating simultaneously on the same network. Internal chats also referenced a planned theft attempt from the GalaChain game Arcano using a Nigerian proxy, along with the circulation of deepfake job-applicant blog posts to bypass recruitment screening. ZachXBT assessed the group as lower-tier compared to elite DPRK operations such as AppleJeus or TraderTraitor, noting their reliance on weak default credentials and basic operational security. The luckyguys[.]site domain was taken offline shortly after ZachXBT published his thread on April 8, although the complete dataset had already been archived.

Related Story

Hacked SpaceXAI and Starlink Accounts Promote SCATMAN Token Before 73.7 ETH Sales

Hacked SpaceXAI and Starlink Accounts Promote SCATMAN Token Before 73.7 ETH Sales

July 13, 2026
Suspected Hedera DeFi Hack Moves $5.8 Million to Ethereum

Bonzo Lend Oracle Exploit Triggers Cross-Chain Fund Transfers on Hedera

July 11, 2026

Key Security Observations

  • Default password hygiene remains dangerously weak even within state-linked financial operations.
  • Payoneer and Chinese fintech services continue to function as primary fiat conversion channels for DPRK remittances.
  • Infostealer infections on worker devices represent the most valuable entry point for external researchers.
  • Internal server data provides significantly stronger attribution signals than on-chain analysis alone.

This leak offers rare operational visibility into the financial backbone of North Korea’s overseas IT revenue program. ZachXBT indicated he will continue expanding the public dashboard at investigation.io with additional findings from the dataset.

Disclaimer: Cryip is an independent media and research outlet providing news, data, and analysis on the cryptocurrency industry. Content is for informational and research purposes only and does not constitute financial, legal, tax, or investment advice. Cryptocurrency markets are volatile and past performance is not indicative of future results. References to specific assets, platforms, or incidents are for journalistic purposes only and do not imply endorsement, and readers assume full responsibility for their decisions.
Tags: Crypto Hacks

Related Posts

Hacked SpaceXAI and Starlink Accounts Promote SCATMAN Token Before 73.7 ETH Sales
Security & Hacks

Hacked SpaceXAI and Starlink Accounts Promote SCATMAN Token Before 73.7 ETH Sales

by Saravana Kumar Mahendran
July 13, 2026

Promotional content related to the SCATMAN token appeared on the @SpaceXAI and @Starlink X accounts in mid-July 2026. On-chain analytics...

Read moreDetails
Suspected Hedera DeFi Hack Moves $5.8 Million to Ethereum

Bonzo Lend Oracle Exploit Triggers Cross-Chain Fund Transfers on Hedera

July 11, 2026
CodexField on BNB Chain Faces Rug Pull Allegations

BNB Chain Project CodexField Faces Rug Pull Claims After Abnormal Fund Transfers

July 10, 2026
Hackers Target Injective Wallet Keys Through Compromised npm Package

Malicious Injective SDK Package Targets Private Keys and Seed Phrases

July 10, 2026
Ethereum User Loses Nearly $1 Million USDT in Phishing Token Approval Exploit

Phishing Approval Drains 999K USDT From Ethereum Wallet

July 9, 2026
Ctrl Wallet to Permanently Shut Down

Ctrl Wallet to Permanently Shut Down on August 3 After Cardano Security Exploit

July 7, 2026
Trader Loses $2M After ETH Swap to LIT Routes Through AVAIL Pool

Trader Loses $2M After ETH Swap to LIT Routes Through AVAIL Pool

July 7, 2026
Next Post
Bitcoin Depot Reports $3.6M Crypto Theft in Cyber Breach

Bitcoin Depot Reports $3.6M Crypto Theft in Cyber Breach

Splyce Finance Secures Strategic Funding Round Backed by Sui Foundation, StellarOrg, and Solana Foundation

Splyce Finance Closes Strategic Funding Round Backed by Sui Foundation, StellarOrg, and Others

Recommended

  • All
  • News
US Treasury Freezes $130 Million in Crypto Linked to Iran's Central Bank

US Treasury Freezes $130 Million in Crypto Linked to Iran’s Central Bank

July 15, 2026
Stripe and Advent Offer $53 Billion Deal to Acquire PayPal

Stripe and Advent Offer $53 Billion Deal to Acquire PayPal

July 15, 2026
Morgan Stanley Amends Ethereum and Solana ETF Filings With SEC, Sets 0.14% Fee

Morgan Stanley Updates Ethereum and Solana ETF Filings Ahead of Launch

July 15, 2026
Coinbase Opens Registration to Chinese Users, but Trading Access Remains Unclear

Coinbase Opens Registration to Chinese Users, but Trading Access Remains Unclear

July 14, 2026
Tether Leads $7 Million Funding Round in Pact Labs to Bring USA₮ Into U.S. Payroll Infrastructure

Tether Leads $7 Million Funding Round in Pact Labs to Bring USA₮ Into U.S. Payroll Infrastructure

July 14, 2026
Polymarket Partners With Blockchain.com to Roll Out Prediction Markets During World Cup Semifinals

Polymarket Partners With Blockchain.com to Roll Out Prediction Markets During World Cup Semifinals

July 14, 2026
UK Defers Capital Gains Tax on Crypto Lending and Liquidity Pools From 2027

UK Defers Capital Gains Tax on Crypto Lending and Liquidity Pools From 2027

July 14, 2026
South Korea Expands Blockchain Strategy With Tokenized Bond Pilot and Crypto Reforms

South Korea Expands Blockchain Strategy With Tokenized Bond Pilot and Crypto Reforms

July 14, 2026

Cryip focuses on crypto research and on-chain analysis, supported by coverage of markets, regulation, security events, and blockchain ecosystems.

Recent Posts

  • South Korea Moves Toward Recognizing Crypto as a National Asset
  • US Treasury Freezes $130 Million in Crypto Linked to Iran’s Central Bank
  • Stripe and Advent Offer $53 Billion Deal to Acquire PayPal

Categories

  • AI × Crypto
  • Data & Dashboards
  • DeFi Basics
  • Investing Basics
  • Market & Price
  • Market Updates
  • On-Chain Analysis
  • OpSec
  • Policy & Regulation
  • Post Mortems
  • Press Release
  • Reports
  • Scams & Fraud
  • Security & Hacks
  • Stablecoins
  • Tokenomics
  • VC & Funding
  • Wallets & Custody

Company

  • About Us
  • Contact Us
  • Editorial Standards & Integrity
  • Our Team
  • Privacy Policy
  • Review Methodology
  • Terms and Conditions
  • Trust, Disclosures & Independence

© 2026 Cryip - Research-Driven Crypto Analysis & News by Hashlays.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

No Result
View All Result
  • Home
  • News
  • Research & Analysis
  • Reviews & Comparisons
  • Learn Crypto
  • Features
  • Events

© 2026 Cryip - Research-Driven Crypto Analysis & News by Hashlays.

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.