North Korean Crypto Fraudsters' $1M/Month Operation Meets Its Kryptonite: Password123456

If you're going to run a sophisticated state-sponsored crypto fraud ring generating roughly $1 million per month, maybe—maybe—consider upgrading from "123456" as your server password. Apparently the Democratic People's Republic of Korea (DPRK) missed that memo. Blockchain detective ZachXBT just blew the lid off an internal breach that handed investigators 390 accounts, chat logs, and crypto transaction trails forming one of the most coordinated fraud networks the crypto space has seen in a while. The scale is wild, the security is hilariously bad, and the audacity? Impeccable.

Here's how it went down: an unnamed insider got infected with an infostealer that somehow landed on a device belonging to a DPRK IT worker. The malware extracted IPMsg chat logs, browser history, and enough identity records to make a cybersecurity analyst weep with joy—or at least extreme professional satisfaction. These logs were apparently sitting there like a freshly minted NFT waiting to getrugged by whoever got there first.

The crown jewel hidden in those logs? A platform called luckyguys[.]site, which functioned as the operation's internal command center for payment reporting, activity coordination, and presumably arguing about who forgot to lock the server. Yep, the entire fraud network had its own little Discord server. Very "ape together strong."

The payment infrastructure revealed in the breach reads like a master's thesis in money laundering architecture. Funds moved from exchanges or got swapped through Chinese bank accounts and fintech platforms like Payoneer, maintaining steady liquidity across multiple channels. This was a well-oiled machine for turning dirty crypto into spendable fiat—just not a well-locked one.

And here's where it gets genuinely comedic. That internal server? Running on the security equivalent of a screen door on a submarine. It used the laughably weak default password "123456" across several accounts—an oversight so catastrophic it basically left the front door open with a sign saying "free crypto this way." The platform even included user roles, Korean names, and location data matching known DPRK IT worker structures. They basically handed investigators a Christmas present with a bow on it.

Three companies tied to the network—Sobaeksu, Saenal, and Songkwang—are already chilling on the OFAC sanction lists like they were waiting for an invite. ZachXBT traced over $3.5 million in transactions flowing into associated wallet addresses since late November 2025. A centralized admin account labeled PC-1234 validated payments and distributed credentials for exchanges and fintech platforms like a very illegal IT helpdesk. In December 2025, Tether froze one Tron wallet linked to the operation, which honestly felt like the bare minimum after a $3.5M trail was handed to them on a platter.

The operational depth uncovered in this breach goes beyond finances. Internal discussions and training materials revealed an entire curriculum for state-sponsored crypto crime. An internal Slack channel—because of course they had a Slack—showed 33 DPRK IT workers communicating simultaneously through IPMsg. Administrators distributed 43 training modules covering IDA Pro, Hex-Rays, reverse engineering, debugging, and software exploitation. Apparently they were running a fully accredited blockchain crime university with a very questionable tuition structure.

Despite all that structured training, the group showed limited sophistication compared to advanced operations like AppleJeus or TraderTraitor. Think of it as the difference between a degen apeing into a new coin and actual institutional-grade trading. However, the operational scale made up for any technical shortcomings, generating significant revenue streams with the kind of consistency that would make even a crypto VC proud.

Leaked logs also referenced attempts to deploy fake identities and deepfake applications for job infiltration, with some conversations covering targeting gaming platforms and financial services. That's