Close Menu
    X (Twitter) LinkedIn
    CapitalAI DailyCapitalAI Daily
    X (Twitter) LinkedIn
    • Intelligence
    • Markets & Investments
    • Big Tech & AI
    • AI & Cybercrime
    • Jobs & AI
    • Banks
    • Crypto
    Saturday, July 11
    CapitalAI DailyCapitalAI Daily
    Home»AI & Cybercrime»ZachXBT Uncovers $3,500,000+ North Korean Network Using Fake Identities To Target AI and Crypto Firms

    ZachXBT Uncovers $3,500,000+ North Korean Network Using Fake Identities To Target AI and Crypto Firms

    By Henry KanapiApril 10, 20262 Mins Read
    Share
    Twitter LinkedIn

    Prominent on-chain researcher ZachXBT is exposing a network of North Korean IT workers who are infiltrating AI and crypto firms to generate millions of dollars for their handlers.

    In a new thread on X, ZachXBT says an unnamed source provided exfiltrated data from an internal Democratic People’s Republic of North Korea (DPRK) payment server, including 390 accounts, chat logs and transaction records.

    According to ZachXBT, the exposé started after a DPRK IT worker’s device was infected with an infostealer, which revealed a data trove outlining a coordinated system built on fake identities, forged documents and crypto-to-fiat conversion pipelines.

    “It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion.”

    Image
    Source: ZachXBT/X

    ZachXBT’s extracted screenshot shows a DPRK IT worker applying for a job at RetainAI, a firm that specializes in AI for eyecare.

    The data also shows that the network was using luckyguys.site, an internal payment remittance platform, to report payments back to their handlers. According to ZachXBT, the site was taken down following his posts.

    The on-chain sleuth adds that a central administrator account, known as PC-1234, processed and confirmed all payments.

    “Since late November 2025, $3.5M+ was received across the payment wallet addresses. Users transfer crypto originating from an exchange or service, or convert to fiat via Chinese bank accounts through platforms like Payoneer.

    PC-1234 then confirms receipt and provides account credentials, varying between crypto exchanges and fintech payment platforms depending on the user.”

    Additional data from the compromised device of “Jerry” reveals the use of VPNs and internal communication among dozens of workers, including discussions about using deepfakes and exploiting crypto projects.

    “Jerry’s compromised device shows usage of Astrill VPN and various fake personas applying for jobs.

    An internal Slack message showed ‘Nami’ sharing a blog post about a DPRK IT worker deepfake job applicant. A second user asked if it was them, while a third noted they aren’t allowed to share external links.

    Jerry actively discussed stealing from a project with another DPRK IT worker via Nigerian proxy targeting Arcano, a GalaChain game.”

    Image
    Source: ZachXBT/X

    ZachXBT notes that while this cluster is less sophisticated than other known DPRK-linked groups, it still generates significant revenue.

    “I previously estimated DPRK IT workers generate multiple seven figures per month in revenue, and the data here supports that.”

    Disclaimer: Opinions expressed at CapitalAI Daily are not investment advice. Investors should do their own due diligence before making any decisions involving securities, cryptocurrencies, or digital assets. Your transfers and trades are at your own risk, and any losses you may incur are your responsibility. CapitalAI Daily does not recommend the buying or selling of any assets, nor is CapitalAI Daily an investment advisor. See our Editorial Standards and Terms of Use.

    AI Crypto North Korea ZachXBT
    Previous ArticleSecretary Scott Bessent, Senator Cynthia Lummis, David Sacks and Paul Atkins Urge Congress To Pass Crypto Market Structure Bill
    Next Article Circle’s Jeremy Allaire Says Blockchain Will Power New AI Agent Economy Beyond Payments and E-Commerce

    Read More

    One Shock, Two Supercycle Trades – The $30,739,400,000 ETF Flows in 2026 Almost Nobody Is Talking About

    June 15, 2026

    Goldman Sachs CEO David Solomon Says S&P 500’s Other 490 Stocks Are ‘Pretty Attractive’ – Here’s the Catalyst He’s Watching

    June 5, 2026

    Former Morgan Stanley Executive Names Catalyst That Could Trigger Bitcoin (BTC) Resurgence Amid Falling Prices

    June 4, 2026

    Wedbush’s Dan Ives Reveals $575 Price Target for Microsoft, Says Market Is Mispricing MSFT – Here’s His Outlook

    June 2, 2026

    Michael Saylor’s Strategy Sells Bitcoin To Fund Dividends as USD Reserve Collapses 60% to $900,000,000 in Three Months

    June 1, 2026

    JPMorgan Warns One-Fifth of Global Oil and 90% of Advanced Chips Flow Through Two Vulnerable Choke Points – Here’s How To Play It

    May 27, 2026
    X (Twitter) LinkedIn
    • About
    • Author
    • Editorial Standards
    • Contact Us
    • Privacy Policy
    • Terms of Service
    • Cookie Policy
    © 2025 CapitalAI Daily. All Rights Reserved.

    Type above and press Enter to search. Press Esc to cancel.