Prominent on-chain researcher ZachXBT is exposing a network of North Korean IT workers who are infiltrating AI and crypto firms to generate millions of dollars for their handlers.
In a new thread on X, ZachXBT says an unnamed source provided exfiltrated data from an internal Democratic People’s Republic of North Korea (DPRK) payment server, including 390 accounts, chat logs and transaction records.
According to ZachXBT, the exposé started after a DPRK IT worker’s device was infected with an infostealer, which revealed a data trove outlining a coordinated system built on fake identities, forged documents and crypto-to-fiat conversion pipelines.
“It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion.”
ZachXBT’s extracted screenshot shows a DPRK IT worker applying for a job at RetainAI, a firm that specializes in AI for eyecare.
The data also shows that the network was using luckyguys.site, an internal payment remittance platform, to report payments back to their handlers. According to ZachXBT, the site was taken down following his posts.
The on-chain sleuth adds that a central administrator account, known as PC-1234, processed and confirmed all payments.
“Since late November 2025, $3.5M+ was received across the payment wallet addresses. Users transfer crypto originating from an exchange or service, or convert to fiat via Chinese bank accounts through platforms like Payoneer.
PC-1234 then confirms receipt and provides account credentials, varying between crypto exchanges and fintech payment platforms depending on the user.”
Additional data from the compromised device of “Jerry” reveals the use of VPNs and internal communication among dozens of workers, including discussions about using deepfakes and exploiting crypto projects.
“Jerry’s compromised device shows usage of Astrill VPN and various fake personas applying for jobs.
An internal Slack message showed ‘Nami’ sharing a blog post about a DPRK IT worker deepfake job applicant. A second user asked if it was them, while a third noted they aren’t allowed to share external links.
Jerry actively discussed stealing from a project with another DPRK IT worker via Nigerian proxy targeting Arcano, a GalaChain game.”
ZachXBT notes that while this cluster is less sophisticated than other known DPRK-linked groups, it still generates significant revenue.
“I previously estimated DPRK IT workers generate multiple seven figures per month in revenue, and the data here supports that.”
Disclaimer: Opinions expressed at CapitalAI Daily are not investment advice. Investors should do their own due diligence before making any decisions involving securities, cryptocurrencies, or digital assets. Your transfers and trades are at your own risk, and any losses you may incur are your responsibility. CapitalAI Daily does not recommend the buying or selling of any assets, nor is CapitalAI Daily an investment advisor. See our Editorial Standards and Terms of Use.