Crypto detective ZachXBT uncovered an internal North Korean payment server tied to 390+ accounts, chat logs, and transaction histories.
The DPRK Crypto-Infiltration Saga, Part III (From This Week Only)
The North Korean secret crypto-agents saga continues. The hidden network of North Korea–aligned crypto hackers have been slowly exposed on the social network X these past days, following the attribution of the April 1st $285 million attack on Drift Protocol to UNC4736, a North Korea–aligned, state‑sponsored hacking group.
On Sunday, security researcher Taylor Monahan claimed that North Korean IT workers have quietly worked inside more than 40 DeFi projects over roughly seven years. Also on Sunday and Monday, multiple crypto industry actors shared videos and stories of North Korean IT workers failing the “Kim Jong-Un Test”.
Now, it was ZachXBT turn to publish his findings, which he did yesterday on a thread on the social network X. The exfiltrated data, that hadn’t been publicly released before, was shared with him by an anonymous source.
The extraction of the data was possible because one of this IT workers workers from the Democratic People’s Republic of Korea (DPRK) had his device infected with an infostealer (malware designed specifically to steal sensitive information). The malware exposed IPMsg chat logs, fabricated identities, and detailed browser activity.
2/ A DPRK IT worker had their device compromised via infostealer. Extracted data included IPMsg chat logs, fake identities, and browser history.
Digging through the IPMsg logs revealed this site being discussed:
luckyguys[.]siteAn internal payment remittance platform,… pic.twitter.com/0rA1CxSmZx
— ZachXBT (@zachxbt) April 8, 2026
The thread walks through how DPRK IT agents, often posing as freelancers abroad, are allegedly getting paid in crypto and funneled back into regime‑linked channels.
A Breakdown Of The Findings
The website that surfaced from the data extraction was called luckyguys.site. According to the crypto detective, it appeared to function as an internal payment remittance hub: a Discord‑like messaging platform where DPRK IT operatives reported and reconciled their crypto payments with superiors.
Believe it or not, the site’s default login password was set to “123456”. At the moment of the data extraction, ten accounts were still using it unchanged.
The 123456 password. Source. ZachXBT on X.
The account roster showed roles, Korean names, locations, and internal group codes that align with known North Korean IT worker structures. ZachXBT highlighted that three of the companies referenced in the data, Sobaeksu, Saenal, and Songkwang, are already subject to OFAC sanctions.
The crypto investigator shared a video showing direct messages from one WebMsg account, “Rascal”, with PC‑1234 (the server admin account) that spell out payment transfers and the use of fake identities from December 2025 to April 2026. Every payment in these chats is routed and finalized via PC‑1234. The logs also reference Hong Kong addresses for billing and delivery of goods, although whether those details are genuine still needs to be confirmed.
4/ Here is one of the WebMsg users ‘Rascal’ and their DMs with PC-1234 detailing payment transfers and the use of fraudulent identities from December 2025 through April 2026.
All payments are processed and confirmed through the server admin account: PC-1234.
Addresses in Hong… pic.twitter.com/akyjmTbL5J
— ZachXBT (@zachxbt) April 8, 2026
The findings only grow more interesting as the thread advances. Since late November 2025, more than $3.5 million has flowed into the payment wallets. The same remittance pattern shows up again and again: users either send crypto in directly from an exchange or service, or off‑ramp into fiat via Chinese bank accounts using platforms such as Payoneer.
After that, PC‑1234 acknowledges the incoming funds and hands over login credentials, which can be for different crypto exchanges or fintech payment apps, depending on the specific user.
5/ Since late November 2025 $3.5M+ was received across the payment wallet addresses.
The remittance pattern was consistent across users:
Users transfer crypto originating from an exchange or service, or convert to fiat via Chinese bank accounts through platforms like Payoneer.… pic.twitter.com/IhbqW3eKKI
— ZachXBT (@zachxbt) April 8, 2026
A Reconstruction Of The Network’s Hierarchy
The crypto detective reconstructed the network’s entire organizational hierarchy using the full dataset and made an interactive version of this org chart.
DPRK IT Workers - Organizational Structure. Source: ZachXBT on X.
When the investigator followed the internal payment wallets on‑chain, he found connections to several already‑attributed DPRK IT worker clusters. The Tron‑based wallet was frozen by Tether in December 2025.
Other interesting findings show that the compromised device, which belonged to someone called “Jerry”, still had Astrill VPN in use, along with multiple fabricated identities being used to apply for jobs. Inside an internal Slack workspace, a user named “Nami” shared a blog post about a deepfake job applicant linked to DPRK IT workers. One colleague asked if the story was about them, while another reminded the group they weren’t allowed to post external links.
8/ Jerry’s compromised device shows usage of Astrill VPN and various fake personas applying for jobs.
An internal Slack showed ‘Nami’ sharing a blog post about a DPRK IT worker deepfake job applicant. A second user asked if it was them, while a third noted they aren’t allowed to… pic.twitter.com/7ZdGbX91WT
— ZachXBT (@zachxbt) April 8, 2026
Jerry exchanged messages with another North Korean IT worker about plans to steal from a project, using a Nigerian proxy to target Arcano, a GalaChain game. If that attack was ever carried out or not is unclear.
9/ Jerry actively discussed stealing from a project with another DPRK IT worker via Nigerian proxy targeting Arcano, a GalaChain game.
However, it remains unclear if the attack later materialized. pic.twitter.com/p9QQLHbB91
— ZachXBT (@zachxbt) April 8, 2026
The admin also distributed 43 Hex-Rays/IDA Pro training materials to the group between November 2025 and February 2026. These sessions focused on disassembly, decompilation, both local and remote debugging, and a range of cybersecurity techniques. One link shared on November 20 was explicitly titled: “using-ida-debugger-to-unpack-an-hostile-pe-executable”.
Final Thoughts
ZachXBT closing image for the thread. Source: ZachXBT on X.
ZachXBT concluded that this DPRK IT worker cluster appears relatively unsophisticated compared with outfits like AppleJeus and TraderTraitor, which run much tighter operations and pose a far greater systemic threat to the crypto industry. His earlier estimated that North Korean IT workers collectively pull in several million dollars a month is reinforced by this dataset.
Today, the investigator posted an update explaining that the internal DPRK payment portal has been pulled offline following the publication of his findings. All of the data was fully captured and archived beforehand.
Update: The internal DPRK payment site has since been taken down after my post.
However all data was archived in advance. pic.twitter.com/9cRdopal5g
— ZachXBT (@zachxbt) April 9, 2026
Crypto is now deeply embedded in geopolitical shadow economies. On‑chain transparency cuts both ways for users and adversaries.
It wouldn’t be surprising if markets start to price higher compliance costs for CEXs and OTC desks, or if there is more friction for stablecoin flows in sanctioned regions. The North Korean saga surely raises the odds of more aggressive enforcement against cross‑border flows, privacy tools, and high‑risk venues.
Yesterday, Bitcoin bounced back and reclaimed $72k. At the moment of writing, BTC trades for around $71k on the daily chart. Source: BTCUSDT on Tradingview.
Cover image from Perplexity. BTCUSDT chart from Tradingview.
