Crypto Times Logo Black
Google News Follow Banner
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • DeFi News
    • Blockchain News
    • Industry
  • Exclusive
    ExclusiveShow More
    CLARITY Act 5 Fights Still Unresolved Before the Merged Draft Drops
    CLARITY Act: 5 Fights Still Unresolved Before the Merged Draft Drops
    Strategy's Cash Reserve Shift Reveals Weaknesses in Leveraged Bitcoin Balance Sheet_
    Strategy’s Cash Reserve Shift Reveals Weaknesses in Leveraged Bitcoin Balance Sheet
    After Securing MiCA License, OKX Says Banking License Is Not a Priority
    After Securing MiCA License, OKX Says Banking License Is Not a Priority
    The Wall Around Mint Street: How the RBI Spent a Year Shutting Crypto Out of Indian Banking
    The Wall Around Mint Street: How the RBI Spent a Year Shutting Crypto Out of Indian Banking
    Michael Saylor’s Strategy
    Why Michael Saylor’s Strategy Is Selling Bitcoin After Years of Buying
  • Opinion
    OpinionShow More
    The Bitcoin Treasury Blueprint What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    The Bitcoin Treasury Blueprint: What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    Why Wall Street is Divided Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    Why Wall Street is Divided: Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    The Arthur Hayes Paradox Macro Prophet or Market Opportunist
    The Arthur Hayes Paradox: Macro Prophet or Market Opportunist?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India's Digital Rupee Push?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India’s Digital Rupee Push?
    The CLARITY Act War Starts Jamie Dimon Vs Armstrong
    The CLARITY Act War Starts: Jamie Dimon Vs Armstrong
  • Learn
    • Explained
    • How To
    • Insights
  • Videos
  • More
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
The Crypto TimesThe Crypto Times
  • All News
  • Market
  • Bitcoin
  • Ethereum
  • Altcoins
  • Regulations & Policies
  • Blockchain
  • DeFi
  • Industry
  • Exclusive
  • Opinion
Search
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • Blockchain
    • DeFi
    • Industry
    • Exclusive
    • Opinion
  • Learn
    • Explained
    • How To
    • Insights
  • Quick Links
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
    • AI Policy
    • Sponsored & Advertorial Policy
  • Videos
  • Glossary
Follow US
© 2026 By Crypto Times. All Rights Reserved.
Industry

Inside DPRK Crypto Network: ZachXBT Analyzes Leaked Server Data

Internal chats and transactions expose how North Korean IT workers route crypto, use fake identities, and coordinate payments through a centralized system.

Written By Shubham Soni
Published 2026-04-08·Updated 3 months ago
Make The Crypto Times preferred on GoogleGoogle
Share
Inside DPRK Crypto Network: ZachXBT Analyzes Leaked Server Data

Key Highlights

  • ZachXBT’s analysis of leaked server data reveals a DPRK-linked crypto network moving nearly $1 million monthly through coordinated wallets, remittance tools, and fiat off-ramps.
  • The operation relies on fake identities and remote job infiltration, with workers using fabricated credentials and sometimes deepfake techniques to generate income.
  • Internal logs show structured fund flows and weak security practices, linking the network to previously sanctioned entities and known North Korean activity patterns.

A cache of internal data linked to North Korean IT workers offers a rare look at how crypto flows through a loosely coordinated but persistent network of fraud, identity abuse, and cross-border payments.

In a detailed X thread shared on Wednesday, blockchain investigator ZachXBT says the dataset, obtained from a compromised device, includes chat logs, account records, and transaction details tied to roughly 390 users. The material points to a structured operation moving close to $1 million per month through a mix of crypto wallets and fiat off-ramps.

1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.

I spent long hours going through all of it, none of which has ever been publicly released.

It revealed an intricate… pic.twitter.com/aTybOrwMHq

— ZachXBT (@zachxbt) April 8, 2026

At the center is an internal platform described as a remittance hub, where workers report earnings and receive instructions. The system appears to function as both a messaging tool and a coordination layer for payments.

Weak security, clear structure

According to ZachXBT, basic security failures stood out. Several accounts reportedly used unchanged default passwords, allowing access to internal communications and user lists. These records included Korean names, geographic references, and coded group identifiers consistent with known DPRK-linked IT worker patterns.

The data also references entities such as Sobaeksu, Saenal, and Songkwang, all previously sanctioned, suggesting overlap between this network and earlier identified operations.

3/ The site's default password was 123456, which remained unchanged for ten users.

The user list included roles, Korean names, cities, and coded group names consistent with DPRK IT worker operations.

Three companies which appeared are currently OFAC sanctioned: Sobaeksu,… pic.twitter.com/rKYS0TR9BL

— ZachXBT (@zachxbt) April 8, 2026

How the money moves

Transaction logs show a repeatable pattern, as per the investigation. Funds typically originate from crypto exchanges or service platforms before being routed through wallets and, in some cases, converted into fiat via intermediaries, including Chinese bank accounts and payment processors.

An administrative account appears to confirm incoming transfers and distribute credentials for further movement of funds. Since late 2025, more than $3.5 million in crypto has reportedly passed through tracked addresses tied to the network.

Some blockchain trails connect to wallets previously associated with North Korean activity clusters. In at least one instance, a wallet was frozen by Tether, indicating partial disruption by industry actors.

5/ Since late November 2025 $3.5M+ was received across the payment wallet addresses.

The remittance pattern was consistent across users:

Users transfer crypto originating from an exchange or service, or convert to fiat via Chinese bank accounts through platforms like Payoneer.… pic.twitter.com/IhbqW3eKKI

— ZachXBT (@zachxbt) April 8, 2026

Fake identities and job infiltration

The logs also detail how workers create and deploy fabricated identities to secure remote jobs. Browser histories, chat discussions, and internal notes suggest coordinated efforts to apply for roles using false credentials, sometimes supported by deepfake techniques.

Communication tools included internal messaging systems and external platforms, where users shared tactics but also showed signs of operational constraints, such as restrictions on sharing outside links.

Training and low-tier operations

Training materials circulated within the network covered reverse engineering and debugging tools, including modules related to disassembly and malware analysis. These resources point to ongoing efforts to build technical capacity among participants.

Despite this, the activity described appears less advanced than operations attributed to more sophisticated DPRK-linked groups. Still, the volume of transactions and steady inflows indicate that even lower-tier networks generate meaningful revenue.

A window into a broader system

The dataset does not confirm the full scale of the operation, and some details, such as the authenticity of addresses used for goods and billing, remain unverified. But the structure it reveals aligns with previous findings: decentralized teams, centralized reporting, and heavy reliance on crypto to move funds across borders.

What stands out is not just the use of digital assets, but the blend of simple vulnerabilities, coordinated workflows, and persistent activity that allows such networks to operate at scale.

Also Read: Drift Protocol Reveals North Korean State Hackers Behind $285M Exploit

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.

Follow The Crypto Times on Google News to Stay Updated!      Google News

TAGGED:BlockchainCrypto Scam
Share This Article
Whatsapp Whatsapp LinkedIn Telegram Copy Link

Latest News

a16z Says Wall Street Wants Blockchain, Not DeFi
a16z Says Wall Street Wants Blockchain, Not DeFi
Fed Chair Warsh Calls for Regulator Coordination on GENIUS Act
Fed Chair Warsh Calls for Regulator Coordination on GENIUS Act
Base’s Jesse Pollak Admits Creator Coin Strategy Failed, Signals AI Pivot
Base’s Jesse Pollak Admits Creator Coin Strategy Failed, Signals AI Pivot
Trump Joins CLARITY Act Talks as Senate Eyes Final Deal 
Trump Joins CLARITY Act Talks as Senate Eyes Final Deal 
Will Bitcoin Reclaim Its All-Time High of $126K by End of 2026
Will Bitcoin Reclaim Its All-Time High of $126K by End of 2026?

Find Us on Socials

You may also like

Coinbase Backs CLARITY Act to Unlock Its 'Everything Exchange'

Coinbase Backs CLARITY Act to Unlock Its ‘Everything Exchange’

REAL Joins BC4EU to Support Institutional Tokenization in EU

BitMine Posts $9.1B Loss as ETH Staking Drives Nearly All Revenue

BitMine Posts $9.1B Loss as ETH Staking Drives Nearly All Revenue

Blockchain.com Integrates Polymarket Ahead of FIFA World Cup 2026 Semifinals

Blockchain.com Integrates Polymarket Ahead of FIFA World Cup 2026 Semifinals

The Crypto Times Logo PNG

Providing real-time, accurate Crypto reporting. Your trusted source for Crypto News and Research.

Stay Updated

All News
Exclusive
Opinions
Learn
Videos
Glossary

Company

About Us
Our Authors
Editorial Policy
AI Policy
Advertorial Policy

Get In Touch

Contact Us
Career

Find Us on Socials

X-twitter Linkedin Telegram Youtube Instagram

© 2026 The Crypto Times | A BITROCK TECHNOLOGIES L.L.C. Company.

DMCA.com Protection Status
  • Terms and Conditions
  • Disclaimer
  • Privacy Policy
  • Cookie policy
Do Not Sell or Share My Personal Information