ZachXBT Drops DPRK's Crypto Homework: $3.5M Flow, 390 Accounts, and Passwords That Would Make Your Grandma Weep

ZachXBT just exposed the internal playbook of North Korean IT workers, and let's just say their opsec was... not bulletproof. Actually, it was more like wet tissue paper defending a fortress. The blockchain detective revealed a treasure trove of data from a compromised device used by DPRK IT workers, showing $3.5 million in crypto flows since November 2025. The dataset includes 390 accounts, IPMsg chat logs, browser histories, and transaction records spanning roughly $1 million per month. For those doing the math at home, that's roughly $33,333 per day flowing through their little operation—chump change for a nation-state, but still enough to buy a decent apartment in most of America.

The findings paint a picture of coordinated operations using fake identities, weak security, and a platform called luckyguys[.]site functioning as both a messaging hub and remittance system. Workers submitted earnings and received instructions through this platform like some kind of dystopian gig economy. Imagine Uber, but instead of delivering sandwiches, you're funneling money for Kim Jong-un, and instead of a rating system, you get points toward a bullet in your knee if you underperform. The whole operation reads like a LinkedIn profile from hell—"Experienced freelance developer with expertise in remote work, crypto laundering, and evading international sanctions."

But here's where it gets spicy: several accounts used the default password "123456" without changes. Yes, you read that right. North Korean state-affiliated operatives apparently thought '123456' was sufficient security for their internal payment server. This is the digital equivalent of hiding your spare key under the doormat while claiming to be a master of covert operations. The same password your grandma uses for her WiFi because she can't remember anything more complicated. The same password that gets hacked in every "worst passwords" list published annually. And these are the people supposedly funding a nuclear program? Yikes.

The data also revealed three entities—Sobaeksu, Saenal, and Songkwang—all currently under OFAC sanctions, linking this network to previously identified DPRK operations. Transaction logs show workers moved crypto from exchanges before converting to fiat through Chinese bank accounts and platforms like Payoneer. It's almost like following a breadcrumb trail left by someone who really, really didn't want to be found—except they left the trail out in the open like a game of Mario Kart with no obstacles. The sanctions were already there, but now we have the receipts. The dinner is paid for, the table is cleared, and OFAC is asking for the check.

One Tron wallet was frozen by Tether in December 2025, marking limited intervention from industry participants. Better late than never, I suppose. One wallet out of 390 accounts, one frozen out of a $3.5 million operation—it's the crypto equivalent of bringing a water pistol to a forest fire. But hey, at least someone at Tether was paying attention that month. Maybe they were bored. Maybe it was a slow Tuesday. Either way, let's see more of this energy going forward, please and thank you.

The investigation also uncovered training materials—43 modules covering reverse engineering, Hex-Rays, and IDA Pro—indicating ongoing technical development. Internal chats showed 33 workers communicating on the same IPMsg network, with discussions including a planned theft attempt targeting GalaChain's Arcano project through a Nigerian proxy (though it's unclear if the attack materialized). Forty-three modules. That's more training than most bootcamp grads get. These guys are taking their education seriously—reverse engineering, IDA Pro, the works. It's almost admirable, if it weren't, you know, illegal and supporting a regime that makes Bond villains look like amateur hour. The Nigerian proxy angle is also chef's kiss—nothing says "untraceable operation" quite like routing through a country known for email scams and hoping nobody notices.

Workers used Astrill VPN to mask their locations while securing remote jobs under fabricated identities. Because nothing says "stealth operation" quite like paying for a commercial VPN service that keeps logs and can be subpoenaed. It's the equivalent of wearing a "I am not a criminal" t-shirt while robbing a bank. These guys really said "we need to hide from the world's intelligence agencies" and then downloaded the same VPN your college roommate used to watch Netflix abroad. Peak strategy.

This latest exposé follows ZachXBT's previous callout of Circle regarding the $285 million Drift Protocol exploit delay. The man just doesn't sleep, and honestly, neither does the DPRK crypto operation apparently. It's a never-ending game of whack-a-mole, except the moles have nukes and the mallets are underfunded. But with investigators like ZachXBT doing the heavy lifting, maybe—just maybe—we're slowly making it just slightly harder for these clowns to operate. One compromised device at a time.