🌚 The password "123456" exposed a network of IT workers from North Korea in the crypto industry

IT specialists from North Korea are posing as ordinary developers to get into crypto projects, with the aim of hacking them later. This was reported by on-chain detective ZachXBT, who was provided with data from North Korea's internal payment server by an anonymous source.

The scheme turned out to be complex: fake identities, forged documents, and converting crypto into fiat roughly worth $1 million per month.

The leak was made possible by hacking the device of one North Korean IT specialist known as Jerry. The extracted data included chat logs from the IPMsg messenger, fake job seeker profiles, browser history, as well as roles, Korean names, cities, and code names of groups.

By cross-referencing this information with their own databases, ZachXBT reconstructed the full organizational structure of the network, including detailed payouts to each user and group from December 2025 to February 2026. Internal transaction analysis revealed on-chain links to several known North Korean IT clusters.

ZachXBT noted that this group of IT specialists is less sophisticated compared to AppleJeus and TraderTraitor, which operate more effectively and pose the main threat to the industry.