Leaked Files Reveal North Korean Hackers with 30+ Fake Identities in Crypto Job Scam

A sophisticated cyber operation is quietly infiltrating remote tech jobs worldwide. 

Blockchain investigator ZachXBT uncovered a major leak from a DPRK IT worker’s device showing a small team of five managing 30+ fake identities, with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects. They also claimed experience at top blockchain companies like Polygon Labs, OpenSea, and Chainlink.

Inside the DPRK Remote Job Operation

The spreadsheets reveal how DPRK IT workers operated, including weekly reports, expense tracking, and meeting schedules, and include a script used for the fake identity “Henry Zhang.” Their expenses show purchases of SSNs, Upwork and LinkedIn accounts, phone numbers, AI tools, rented computers, and VPNs or proxies.

Leaked Google Drive files, Chrome profiles, and device screenshots revealed that they managed schedules, tasks, and budgets mostly in English. Telegram chats show how they coordinated to land jobs, handle payments, and route salaries through crypto wallets.

One of the key signs pointing to North Korea was their use of Google Translate into Korean during searches, sometimes routed through Russian IP addresses.

Wallet Linked to $680K Favrr Exploit

Notably, one wallet was linked to multiple payments and the $680K  Favrr exploit in June 2025, where DPRK ITWs acted as CTO and developers using fraudulent documents. Additional operatives were connected to other projects through this same wallet address.

DPRK IT Workers Flood Remote Jobs

ZachXBT points out that the biggest challenge in stopping DPRK IT workers is poor coordination between companies and security services, along with recruitment teams who often ignore or resist warnings.

• Also Read :
•   Google Play Store Cracks Down on Illegal Crypto Wallets and Exchanges 
•   ,

These IT workers are not especially sophisticated, but they are persistent, flooding the global job market for remote developer roles and commonly use Payoneer to convert regular payments into crypto.

North Korea’s Crypto Crime Network

North Korea’s cyber theft operations are massive and growing. In January, operatives stole $2.2M, and in June, authorities seized over $7.7M linked to fake remote job schemes. 

North Korean hackers are tricking people with fake IT job offers to access cloud systems and steal crypto. Since 2020, these campaigns have targeted major crypto platforms, contributing to massive thefts such as Axie Infinity’s $620M breach, DMM Bitcoin’s $305M hack, and Bybit’s $1.5B heist.

Experts estimate that North Korea has stolen $1.6B in crypto so far in 2025, accounting for 35% of all stolen crypto last year, and they are showing no signs of slowing down. 

Never Miss a Beat in the Crypto World!

Stay ahead with breaking news, expert analysis, and real-time updates on the latest trends in Bitcoin, altcoins, DeFi, NFTs, and more.

Subscribe to News

FAQs