When the Kimchi Doesn't Flow: How a '123456' Password Brought Down a $1M/Month DPRK Crypto Scheme

In a stunning blow to state-sponsored hustle culture, blockchain detective ZachXBT has doxxed a North Korean IT worker ring that was quietly printing $1 million per month—funded not by sanctions-busting missiles, but by fake IDs, deepfakes, and a password that would make any security researcher weep into their energy drink.

The breach spilled data from 390 accounts, including chat logs, browser histories, and crypto transactions, all vacuumed up by an infostealer on a compromised device. Turns out, even DPRK operatives can't resist a good phishing tutorial. The crown jewel? A private comms hub called luckyguys[.]site—less 'lucky break,' more 'lucky we didn't use two-factor.'

The operation ran like a fintech startup in a Pyongyang basement: workers submitted payment proofs, admins (notably one 'PC-1234') approved them, and funds flowed through exchanges into Chinese bank accounts and Payoneer. Tether eventually caught on—freezing a Tron wallet in December 2025. Seems even stablecoins have standards.

Security-wise, they weren't exactly quantum-resistant. The internal server? Protected by the ever-elite password: 123456. Yes, really. This digital fortress also stored Korean names, roles, locations, and even training modules on reverse engineering with IDA Pro and Hex-Rays—because nothing screams 'cyber sovereignty' like pirated debugging tools.

Thirty-three workers were seen