ZachXBT Links North Korean IT Workers to Over 25 Crypto Hacks and Team Extortion Schemes

Blockchain investigator ZachXBT has documented at least 25 instances of North Korean IT workers infiltrating crypto companies to steal funds or extort employers, contradicting misconceptions that these operatives only seek legitimate ￰2￱ revelation came in response to a claim made by Amjad Masad, CEO of the AI coding platform Replit, that North Korean workers primarily pursue remote jobs for financial gain rather than malicious purposes. “Not to infiltrate” This is actually a common ￰3￱ minimum there’s 25+ instances of DPRK ITWs hacking or extorting teams for ￰4￱ all of those companies were related to ￰5￱ — ZachXBT (@zachxbt) September 25, 2025 Cyber Operations Generate Billions for Weapons Program ZachXBT’s findings reveal sophisticated operations in which agents from the Democratic People’s Republic of Korea pose as developers, security specialists, and finance professionals to gain insider access to crypto ￰6￱ workers have evolved beyond simple employment fraud to hack systems and actively threaten former employers with data ￰7￱ fact, just earlier this month, Binance founder Changpeng Zhao warned about four primary attack vectors used by North Korean hackers, including fake job applications, fraudulent interviews with malware-laden links, customer support scams, and bribery of employees or outsourced ￰8￱ cited a recent incident that included a major hack of an Indian outsourced service, which leaked ￰9￱ user data, resulting in over $400 million in ￰10￱ operations have generated massive profits, with North Korean hackers stealing over $1.3 billion across 47 incidents in 2024 and $2.2 billion in the first half of 2025 ￰11￱ funds flow back to North Korea’s weapons program through elaborate money laundering ￰12￱ Infiltration Through Elaborate Identity Fraud Networks ZachXBT’s recent investigation has exposed five North Korean IT workers operating under more than 30 fake identities, using government-issued ID cards and professional LinkedIn and Upwork accounts to secure positions at crypto projects.

A breach of one operative’s device revealed systematic expense documentation for purchasing Social Security numbers, professional accounts, and VPN ￰13￱ compromised data included Google Drive exports, Chrome browser profiles, and device screenshots from a five-person syndicate conducting employment fraud ￰14￱ expense spreadsheet detailed purchases of AI subscriptions, computer rental services, and proxy networks designed to meet blockchain industry employment ￰15￱ Korean operatives established legitimate U. S. corporations, including Blocknovas LLC and Softglide LLC, using fake identities to create credible corporate ￰16￱ Push researchers discovered Blocknovas registered to a vacant lot in South Carolina, while Softglide traced back to a Buffalo tax ￰17￱ FBI seized Blocknovas’ domain as part of a law enforcement action against North Korean cyber actors who utilized fake job postings to distribute ￰18￱ companies served as launching pads for the “Contagious Interview” campaign, a Lazarus Group subgroup specializing in sophisticated malware ￰19￱ traced one frequently used ERC-20 wallet address back to the $680,000 Favrr exploit in June 2025 , where the project’s chief technology officer and additional developers were later identified as DPRK operatives using fraudulent ￰20￱ exposes 5 North Korean workers running 30+ fake identities to target crypto projects as anonymous source compromises DPRK IT worker devices, revealing $680K Favrr exploit. #NorthKorea #Lazarus ￰0￱ — ￰21￱ (@cryptonews) August 13, 2025 Advanced Malware Campaigns Target Global Developer Networks The PylangGhost malware campaign , discovered in June, represents one of North Korea’s most sophisticated attacks targeting crypto professionals, particularly India-based blockchain developers, through elaborate fake interview ￰22￱ Talos researchers documented how Famous Chollima threat groups create fraudulent skill-testing websites using React ￰23￱ complete technical assessments designed to validate professional backgrounds before receiving invitations to record video ￰24￱ sites request camera access through seemingly innocuous button clicks, then display instructions for downloading alleged video drivers containing malicious Python-based ￰25￱ malware establishes persistent system access while targeting over 80 browser extensions, including MetaMask, Phantom, Bitski, and ￰26￱ Korean IT workers are growing globally. @Google warns UK crypto firms of North Korea-linked fraudsters infiltrating blockchain projects with fake identities and extortion tactics. #Crypto #CyberSecurity ￰1￱ — ￰27￱ (@cryptonews) April 2, 2025 Earlier this year, Google’s Threat Intelligence Group documented North Korean operatives expanding beyond ￰28￱ to infiltrate blockchain companies in the United Kingdom and ￰29￱ shift followed heightened scrutiny from American authorities, pushing operators to seek employment beyond ￰30￱ October, dismissed North Korean IT workers have increasingly resorted to extortion tactics, threatening former employers with data leaks or selling proprietary information to competitors unless ￰31￱ escalation coincides with intensified ￰32￱ enforcement actions, including indictments targeting fraudulent IT employment ￰33￱ responses have intensified with South Korea and the European Union formalizing cybersecurity cooperation agreements specifically targeting North Korean crypto ￰34￱ also seized over $7.7 million in crypto allegedly earned through networks of covert IT workers posing as foreign freelancers in June.