North Korea's $3.5M Crypto Side Hustle Busted After Someone Used '123456' as Password

A group of North Korean IT workers made over $3.5 million in just a few months by faking their identities to work as developers while simultaneously attempting to hack crypto projects. The operation came crashing down after a hacker compromised one of their devices. Turns out, when you're running an international fraud operation from your mom's basement in Pyongyang, even your VPN can't save you from clicking on the wrong link.

The leaked data, shared by blockchain sleuth ZachXBT on X, revealed that one worker named "Jerry" and a team of 140 members were pulling in roughly $1 million per month since late November. That's more than most DeFi protocols make in a year, and these clowns weren't even building anything useful—just pretending to be legitimate devs while quietly draining wallets like they were playing "Who Can Steal the Most Without Getting Caught."

Here's the kicker: the North Korean IT workers coordinated payments on a website called "luckyguys.site" using a shared password that even your grandmother would reject — "123456." Some users on that platform appeared to work for Sobaeksu, Saenal and Songkwang, all sanctioned by the US Office of Foreign Assets Control. We're not saying security was an afterthought, but if your password strategy is indistinguishable from a toddler's iPad code, maybe don't run a global money laundering scheme on the same platform.

The crypto payments were converted to fiat and sent to Chinese bank accounts via online payment platforms like Payoneer. Tracing the wallet addresses also revealed connections to other known North Korean wallets that Tether blacklisted in December. The paper trail wasn't just thin—it was basically a neon sign flashing "we definitely stole this" that somehow still took months to notice.

These DPRK IT workers even had a leaderboard tracking how much crypto each worker brought in since December 8, with links to blockchain explorer pages showing transaction details. Nothing says "professional operation" like a gamified spreadsheet of your非法收入, leaderboards, and performance reviews for theft. Next they'll be doing quarterly all-hands with pizza.

One screenshot showed Jerry using an Astrill VPN to access Gmail, where he submitted multiple applications for full-stack developer and software engineer roles on Indeed. In an unsent email, he wrote a letter applying for a WordPress content and SEO specialist position at a T-shirt company in Texas, requesting $30 an hour for 15 to 20 hours per week. This guy was simultaneously running a state-sponsored crypto heist AND trying to pivot into content marketing for apparel. Pure degen energy—the kind of multi-tasking that makes you wonder if he was ever actually sleeping.

Identification documents were falsified too. One worker named "Rascal" shared pictures of a billing statement using a fake name and fake address in Hong Kong, along with what appeared to be an Irish passport. "Rascal" might be the most honest thing about this entire operation—the man was absolutely vibing.

ZachXBT noted these IT workers were less sophisticated compared to other North Korean groups like AppleJeus and TraderTraitor, which "operate far more efficiently and present the greatest risks to the industry." So basically, these guys were the JV squad of state-sponsored crypto theft. Not even good enough to be the main character in a heist movie—just the comic relief that gets caught in the first act.

North Korean state-backed workers have stolen over $7 billion in funds since 2009, with a significant portion coming from crypto projects. Notable attacks include the $1.4 billion hack of crypto exchange Bybit and the $625 million Ronin bridge hack. At this point, DPRK is basically running the world's most successful (and most annoying) crypto fund—except instead of yield farming, they're just taking everything that isn't nailed down.