The tweet was deleted by the author.
But we saved everything 🙂.
Prominent blockchain investigator ZachXBT has published a detailed investigation claiming that a North Korea-linked network of approximately 390 IT specialists earns around $1 million per month through cryptocurrency payments and fake employment schemes. According to his findings, the operation has generated more than $3.5 million since November 2025.
The information was obtained from internal data stolen from a North Korean IT worker’s device via malware. The leak includes data on roughly 390 accounts, chat logs, fabricated identities, browser history, and cryptocurrency transaction records.
The network used an internal platform called luckyguys.site (also known as WebMsg), which functions like a messenger. Employees reported their earnings and received payment instructions from a central administrator. Funds were typically received in cryptocurrency and then converted to fiat currency through Chinese bank accounts or platforms such as Payoneer. Three organizations under OFAC sanctions — Sobaeksu, Saenal, and Songkwang — appeared in the user list. One connected Tron address was frozen by Tether in December 2025.
ZachXBT noted that the operation relies on fake identities, forged documents, and tightly coordinated payment flows. The data was released in an 11-part thread on X, along with an interactive organizational chart.
According to the analyst, such low-level North Korean IT worker groups continue to generate multimillion-dollar revenues each month, although they are less sophisticated than the country’s more advanced hacking units.
ZachXBT’s investigation highlights how extensively North Korea utilizes cryptocurrencies to fund its operations. The network, which earns approximately 1 million dollars monthly and has already generated over 3.5 million dollars in four months, demonstrates the effectiveness of fake employment schemes.
It serves as another example of how cryptocurrency payments enable bypassing traditional financial systems and international sanctions.
In an earlier report, we noted that MetaMask says North Korean operatives embedded in crypto firms for years.