TLDR:
- ZachXBT obtained leaked data from 390 accounts on a North Korean internal payment server via infostealer.
- Over $3.5M moved through network wallets since late November 2025, with one Tron address frozen by Tether.
- Three OFAC-sanctioned companies — Sobaeksu, Saenal, and Songkwang — appeared directly in the breached data.
- Workers received IDA Pro cybersecurity training modules, pointing to capabilities beyond basic financial fraud.
A major breach of an internal North Korean payment server has revealed a sophisticated fraud network generating nearly $1 million per month.
On-chain investigator ZachXBT obtained data from an unnamed source, including 390 accounts, chat logs, and crypto transactions.
The leaked data exposed fake identities, forged legal documents, and crypto-to-fiat conversion methods. Since late November 2025, over $3.5 million moved through the network’s payment wallet addresses.
How the Payment Network Operated
The breach originated from a compromised device belonging to a DPRK IT worker infected by an infostealer. Data extracted from the device included IPMsg chat logs, fake identity documents, and browser history.
Investigators traced activity to a site called luckyguys[.]site, described as an internal payment remittance platform. The platform functioned similarly to a messaging app, allowing workers to report payments back to handlers.
Ten users on the platform still had the default password, 123456, unchanged. The user list included roles, Korean names, cities, and coded group names consistent with known DPRK IT worker operations.
Three sanctioned companies appeared in the data: Sobaeksu, Saenal, and Songkwang, all currently under OFAC sanctions.
ZachXBT posted on X that the remittance pattern was consistent across users. Workers transferred crypto from exchanges or services, or converted funds to fiat through Chinese bank accounts via platforms like Payoneer.
An admin account, PC-1234, then confirmed receipt and distributed credentials for various exchanges and fintech platforms.
One user identified as “Rascal” had direct message logs with PC-1234 detailing payment transfers and the use of fraudulent identities from December 2025 through April 2026.
Hong Kong addresses appeared in billing records, though their authenticity could not be confirmed. Two payment addresses were identified: one Ethereum address and one Tron address, the latter frozen by Tether in December 2025.
Using the full dataset, ZachXBT mapped the complete organizational structure of the network, including payment totals per user and group. He published an interactive org chart covering the December 2025 through February 2026 data range.
Training Modules and Broader Threat Context
Beyond financial fraud, the data revealed cybersecurity training activity within the group. According to ZachXBT’s post, the admin sent 43 Hex-Rays and IDA Pro training modules to the group between November 2025 and February 2026.
Topics covered disassembly, decompilation, local and remote debugging, and various cybersecurity subjects. One link sent on November 20 referenced using an IDA debugger to unpack a hostile executable.
A compromised device belonging to a worker identified as “Jerry” showed usage of Astrill VPN and multiple fake personas applying for jobs.
An internal Slack message showed a user named “Nami” sharing a blog post about a DPRK IT worker deepfake job applicant. Another screenshot showed 33 workers communicating on the same network through IPMsg.
Jerry also discussed plans to steal from a project called Arcano, a GalaChain game, with another worker through a Nigerian proxy.
Whether that attack proceeded remains unclear. The investigator noted this cluster is less sophisticated than groups like AppleJeus and TraderTraitor.
ZachXBT stated in a post that DPRK IT workers collectively generate multiple seven figures per month, and this data supports that estimate.
He added that threat actors are missing an opportunity by not targeting these lower-tier DPRK groups, citing minimal competition and low repercussion risk. He confirmed plans to continue publishing findings through his investigation platform.
