ZachXBT Reveals How a North Korean Hacker Team Manipulates Fake Identities to Infiltrate Development Projects
Renowned on-chain detective ZachXBT cited an investigation by a white-hat hacker, exposing how a five-member North Korean hacker team manipulates fake identities to infiltrate development projects. This article delves into their operational patterns, expenditure details, and funding flows, providing key insights for preventing such threats. The article originates from a piece written by ZachXBT and is organized, translated, and penned by Azuma from Odaily Planet Daily.
(Background: Microsoft Partners with FBI to Combat North Korean Hacker Fraud! 3,000 Accounts Frozen, U.S. “Working Class Accomplice” Arrested)
(Additional Background: BitoPro Hacked Investigation Reveals North Korean Lazarus! Social Engineering Attack Steals $11.5 Million)
North Korean hackers have long posed a significant threat to the cryptocurrency market. In previous years, victims and industry security personnel could only speculate on the behavior patterns of North Korean hackers through the reverse analysis of relevant security incidents. However, yesterday, renowned on-chain detective ZachXBT, in a recent tweet, cited a white-hat hacker’s analysis of counter-hacking against North Korean hackers, for the first time revealing the “work” methods of North Korean hackers from a proactive perspective, which may have certain positive implications for preemptive security measures in industry projects.
The following is the full content from ZachXBT, translated by Odaily Planet Daily.
Recently, an anonymous hacker, who wishes to remain unnamed, infiltrated the device of a North Korean IT worker, exposing how a five-person technical team manipulated over 30 forged identities to conduct activities. This team not only possessed government-issued fake identification documents but also infiltrated various development projects by purchasing Upwork/LinkedIn accounts.
Investigators obtained data from their Google Drive, Chrome browser profiles, and device screenshots. The data shows that the team heavily relied on Google tools to coordinate work schedules, task assignments, and budget management, with all communications conducted in English.
A weekly report document from 2025 revealed the working patterns of the hacker team and difficulties encountered during this period, such as complaints from members about “not understanding work requirements and not knowing what to do.” Surprisingly, the corresponding solution section filled in read “Put in more effort and double down”…
Expenditure details record that their spending items included purchasing Social Security Numbers (SSNs), transactions of Upwork and LinkedIn accounts, renting phone numbers, AI service subscriptions, computer rentals, and procurement of VPN/proxy services, among others.
One spreadsheet detailed the schedule and script for meetings attended under the fake identity “Henry Zhang.” The operating procedure indicated that these North Korean IT workers would first purchase Upwork and LinkedIn accounts, rent computer equipment, and then complete outsourcing tasks via AnyDesk remote control tools.
One of the wallet addresses they used for receiving and sending funds is:
0x78e1a4781d184e7ce6a124dd96e765e2bea96f2c;
This address is closely linked to a $680,000 Favrr protocol attack that occurred in June 2025, later confirmed to involve a technical lead and other developers who were North Korean IT workers holding forged documents. Through this address, other North Korean IT personnel involved in infiltration projects were also identified.
Key evidence was also found in the team’s search history and browser history.
One may ask, “How can we confirm they are from North Korea?” Aside from all the fraudulent documents detailed above, their search history revealed they frequently used Google Translate, translating into Korean using Russian IPs.
Currently, the main challenges for enterprises in preventing North Korean IT workers focus on the following areas:
- Systematic Collaboration Deficiency: Lack of effective information sharing and cooperation mechanisms between platform service providers and private enterprises;
- Employer Oversight: Hiring teams often exhibit defensive attitudes after receiving risk alerts, even refusing to cooperate with investigations;
- Numerical Advantage Impact: Although their technical means are not complex, they continuously infiltrate the global job market with a large pool of job seekers;
- Fund Conversion Channels: Payment platforms like Payoneer are frequently used to convert fiat income from development work into cryptocurrency;
I have previously mentioned indicators to watch for, and those interested can refer to my historical tweets; I will not reiterate them here.
