A fake dev shop with a password set to 123456 somehow pulled in about $1 million a month. Crypto risk theater remains undefeated.
Counterhacker evidence shared by onchain investigator ZachXBT points to a North Korean IT worker operation that allegedly made more than $3.5 million in a few months by posing as legitimate remote developers, collecting crypto payments, and in some cases trying to compromise the projects that hired them. [1]
The leak came from an unnamed hacker who says they accessed one of the workers' devices and internal systems. The exposed material appears to map out a coordinated DPRK-linked unit, not a lone bad actor freelancing from a laptop café. [2]
Enjoy articles without ads?
Register for free and get unlimited access to all articles.
What the leak shows
According to the documents circulated by ZachXBT on Wednesday, one worker identified as "Jerry" was tied to a team of roughly 140 members. That group was reportedly generating around $1 million per month and had accumulated about $3.5 million in crypto since late November. [2]
The workers allegedly used fake identities to land IT jobs, then routed compensation through a website called luckyguys.site. The operational security was almost comically bad on one level, with a shared password allegedly set to 123456. But the bigger point is less funny: weak internal security did not stop the ring from extracting millions.
That matters because these campaigns do not rely on sophisticated zero days at the front end. They rely on hiring pipelines that are too fast, identity checks that are too shallow, and teams that still think "remote contractor risk" means somebody missing standup.
More than payroll fraud
This was not just a case of workers quietly cashing paychecks under fake names.
The reporting says some members also attempted to hack crypto projects while employed. That turns a compliance failure into an active security incident. A malicious contractor inside a codebase can access repositories, deployment workflows, API keys, internal documentation, and team communications. At that point, the "IT worker scam" label starts sounding too soft. [1]
For crypto firms, this is the nightmare version of insider risk. A bad hire can blend into normal operations for weeks or months, especially if they deliver enough work to avoid scrutiny. Once trust is established, the attack surface gets much wider.
Why crypto keeps getting targeted
Crypto companies remain unusually exposed to this playbook for a simple reason: they hire globally, move fast, and often pay in stablecoins or other digital assets. That combination is convenient for real talent and extremely convenient for sanctions evasion.
A traditional employer might route payroll through banks with heavier KYC friction. A crypto startup can pay a contractor in Tether$0.999021 by the end of the day. Again, great for speed, terrible if your counterparty is a state-linked operative using a borrowed LinkedIn profile.
The leak also fits a broader pattern that security researchers and law enforcement have been warning about for years. DPRK-linked operators have repeatedly used fake resumes, synthetic identities, and third-country intermediaries to get hired into tech roles. Sometimes the goal is straightforward revenue generation. Sometimes it is access. Often it is both. [3]
The real failure point is hiring
The headline number, $1 million a month, is eye-catching. The uglier takeaway is that dozens of firms likely touched this network without realizing it.
If one team had 140 members working under fake or manipulated identities, this was almost certainly enabled by fragmented hiring practices across multiple companies. Many startups outsource recruiting, skip in-depth background checks for contractors, or rely on video calls and GitHub activity as proxies for trust. That is not diligence. That is vibes-based security.
Basic controls would have made this operation harder to scale: live identity verification, device attestation, jurisdiction checks, independent references, payment screening, and strict access segmentation for new hires. None of that is glamorous. All of it is cheaper than getting rekt by your own contractor.
Why the password detail matters
Yes, 123456 is meme-tier incompetence. No, that does not make the threat unserious.
The easy password is useful because it punctures the myth that every successful DPRK-linked operation is technically elegant. A lot of the edge comes from persistence, process exploitation, and target complacency. If defenders expect only Hollywood-grade hacking, they miss the boring attack paths that actually work.
That should sting a little for crypto teams that still spend more time arguing about wallet UX than tightening internal access controls.
The Bigger Picture
This case is a reminder that not every North Korea linked crypto threat starts with a bridge exploit or phishing page. Sometimes it starts with a job application, a clean résumé, and a contractor invoice.
The money here is material, but the strategic risk is bigger than the payout. A network that can reliably place workers inside crypto companies can collect salaries, map infrastructure, identify weak controls, and potentially tee up later intrusions. Revenue and reconnaissance are a nasty combo.
If firms treat this as just another weird headline, expect repeats. If hiring controls tighten, device and identity checks improve, and new contractors get less trust by default, this model gets more expensive to run. If not, watch more "remote devs" turn into very expensive lessons.
Your reviews help us improve the quality of both current and future articles. All reviews are public and visible to other readers. We use both ratings and comments to improve future articles and to revise any articles that do not meet our standards.
See more like this on Google
