Inside DPRK Crypto Network: ZachXBT Analyzes Leaked Server Data

A cache of internal data linked to North Korean IT workers offers a rare look at how crypto flows through a loosely coordinated but persistent network of fraud, identity abuse, and cross-border payments.

In a detailed X thread shared on Wednesday, blockchain investigator ZachXBT says the dataset, obtained from a compromised device, includes chat logs, account records, and transaction details tied to roughly 390 users. The material points to a structured operation moving close to $1 million per month through a mix of crypto wallets and fiat off-ramps.

At the center is an internal platform described as a remittance hub, where workers report earnings and receive instructions. The system appears to function as both a messaging tool and a coordination layer for payments.

Weak security, clear structure

According to ZachXBT, basic security failures stood out. Several accounts reportedly used unchanged default passwords, allowing access to internal communications and user lists. These records included Korean names, geographic references, and coded group identifiers consistent with known DPRK-linked IT worker patterns.

The data also references entities such as Sobaeksu, Saenal, and Songkwang, all previously sanctioned, suggesting overlap between this network and earlier identified operations.

How the money moves

Transaction logs show a repeatable pattern, as per the investigation. Funds typically originate from crypto exchanges or service platforms before being routed through wallets and, in some cases, converted into fiat via intermediaries, including Chinese bank accounts and payment processors.

An administrative account appears to confirm incoming transfers and distribute credentials for further movement of funds. Since late 2025, more than $3.5 million in crypto has reportedly passed through tracked addresses tied to the network.

Some blockchain trails connect to wallets previously associated with North Korean activity clusters. In at least one instance, a wallet was frozen by Tether, indicating partial disruption by industry actors.

Fake identities and job infiltration

The logs also detail how workers create and deploy fabricated identities to secure remote jobs. Browser histories, chat discussions, and internal notes suggest coordinated efforts to apply for roles using false credentials, sometimes supported by deepfake techniques.

Communication tools included internal messaging systems and external platforms, where users shared tactics but also showed signs of operational constraints, such as restrictions on sharing outside links.

Training and low-tier operations

Training materials circulated within the network covered reverse engineering and debugging tools, including modules related to disassembly and malware analysis. These resources point to ongoing efforts to build technical capacity among participants.

Despite this, the activity described appears less advanced than operations attributed to more sophisticated DPRK-linked groups. Still, the volume of transactions and steady inflows indicate that even lower-tier networks generate meaningful revenue.

A window into a broader system

The dataset does not confirm the full scale of the operation, and some details, such as the authenticity of addresses used for goods and billing, remain unverified. But the structure it reveals aligns with previous findings: decentralized teams, centralized reporting, and heavy reliance on crypto to move funds across borders.

What stands out is not just the use of digital assets, but the blend of simple vulnerabilities, coordinated workflows, and persistent activity that allows such networks to operate at scale.

Also Read: Drift Protocol Reveals North Korean State Hackers Behind $285M Exploit

Follow The Crypto Times on Google News to Stay Updated!