ZachXBT exposes North Korean IT network generating $1 million per month

ZachXBT exposes North Korean IT network generating $1 million per month
North Korean IT network earns 1M USD per month through crypto

​Prominent blockchain investigator ZachXBT has published a detailed investigation claiming that a North Korea-linked network of approximately 390 IT specialists earns around $1 million per month through cryptocurrency payments and fake employment schemes. According to his findings, the operation has generated more than $3.5 million since November 2025.

Highlights

  • ZachXBT identified a network of 390 North Korean IT specialists earning about $1 million per month.
  • Since November 2025, the operation has generated more than $3.5 million through crypto payments and fake job schemes.
  • Data was obtained from a malware-infected device; the group used an internal platform called WebMsg.
  • Three OFAC-sanctioned organizations were involved; one Tron address was frozen by Tether.

How the network operated

The information was obtained from internal data stolen from a North Korean IT worker’s device via malware. The leak includes data on roughly 390 accounts, chat logs, fabricated identities, browser history, and cryptocurrency transaction records.

The network used an internal platform called luckyguys.site (also known as WebMsg), which functions like a messenger. Employees reported their earnings and received payment instructions from a central administrator. Funds were typically received in cryptocurrency and then converted to fiat currency through Chinese bank accounts or platforms such as Payoneer. Three organizations under OFAC sanctions — Sobaeksu, Saenal, and Songkwang — appeared in the user list. One connected Tron address was frozen by Tether in December 2025.

Structure and scale of the operation

ZachXBT noted that the operation relies on fake identities, forged documents, and tightly coordinated payment flows. The data was released in an 11-part thread on X, along with an interactive organizational chart.  

According to the analyst, such low-level North Korean IT worker groups continue to generate multimillion-dollar revenues each month, although they are less sophisticated than the country’s more advanced hacking units.

Implications for crypto industry and cybersecurity

ZachXBT’s investigation highlights how extensively North Korea utilizes cryptocurrencies to fund its operations. The network, which earns approximately 1 million dollars monthly and has already generated over 3.5 million dollars in four months, demonstrates the effectiveness of fake employment schemes. 

It serves as another example of how cryptocurrency payments enable bypassing traditional financial systems and international sanctions.

In an earlier report, we noted that MetaMask says North Korean operatives embedded in crypto firms for years.

This material may contain third-party opinions, none of the data and information on this webpage constitutes investment advice according to our Disclaimer. While we adhere to strict Editorial Integrity, this post may contain references to products from our partners.
Weekly Top Bonuses
up to $2,500
deposit bonus for all clients
CLAIM BONUS
Your capital is at risk.