ZachXBT Publishes Leaked DPRK Payment Data Showing $1M Monthly Crypto-to-Fiat Pipeline – Crypto News Bitcoin News

Key Takeaways:

• ZachXBT’s April 8 investigation exposed a DPRK IT worker payment server that processed over $3.5 million since late November 2025.
• Three OFAC-sanctioned entities, Sobaeksu, Saenal, and Songkwang, appeared in the breached user list from luckyguys.site.
• The internal DPRK site went offline on April 9, 2026, but ZachXBT archived all data before publishing the 11-part thread.

North Korean Hackers Used Default Password ‘123456’ on Internal Crypto Payment Server

The leaked data came from a DPRK IT worker’s device compromised by infostealer malware. An unnamed source shared the files with ZachXBT, who confirmed the material had never been publicly released. The extracted records included approximately 390 accounts, IPMsg chat logs, fabricated identities, browser history, and cryptocurrency transaction records.

The internal platform at the center of the investigation was luckyguys.site, also referred to internally as WebMsg. It functioned as a Discord-style messenger, allowing DPRK IT workers to report payments to their handlers. At least ten users had never changed the default password, which was set to “123456.”

The user list contained roles, Korean names, cities, and coded group names consistent with known DPRK IT worker operations. Three companies appearing in the list, Sobaeksu, Saenal, and Songkwang, are currently sanctioned by the U.S. Treasury’s Office of Foreign Assets Control.

Payments were confirmed through a central admin account identified as PC-1234. ZachXBT shared direct message examples from a user nicknamed “Rascal,” which detailed transfers tied to fraudulent identities spanning December 2025 through April 2026. Some messages referenced Hong Kong addresses for bills and goods, though their authenticity was not verified.

The associated payment wallet addresses received more than $3.5 million during that period, equating to roughly $1 million per month. Workers used forged legal documents and fake identities to obtain employment. Crypto was either transferred directly from exchanges or converted to fiat through Chinese bank accounts using platforms like Payoneer. The admin account PC-1234 then confirmed receipt and distributed credentials for various crypto and fintech platforms.

Onchain analysis tied the internal payment addresses to known clusters of DPRK IT workers. Two specific addresses were identified: an Ethereum address and a Tron address that Tether froze in December 2025.

ZachXBT used the full dataset to map the complete organizational structure of the network, including payment totals per user and per group. He published an interactive org chart covering December 2025 through February 2026 at investigation.io/dprk-itw-breach, accessible with the password “123456.”

The compromised device and chat logs produced additional details. Workers used Astrill VPN and fake personas to apply for jobs. Internal Slack discussions included a post from a user named “Nami” sharing a blog about a DPRK worker deepfake applicant. The admin also sent 43 Hex-Rays and IDA Pro training modules to workers between November 2025 and February 2026, covering disassembly, decompilation, and debugging. One shared link specifically addressed unpacking hostile PE executables.

Thirty-three DPRK IT workers were found communicating through the same IPMsg network. Separate log entries referenced plans to steal from Arcano, a GalaChain game, using a Nigerian proxy, though the outcome of that effort was not clear from the data.

ZachXBT characterized this cluster as less operationally sophisticated than higher-tier DPRK groups such as Applejeus or Tradertraitor. He previously estimated that DPRK IT workers collectively generate multiple seven figures per month. He noted that low-tier groups like this one attract threat actors because the risk is low and competition is minimal.

The luckyguys.site domain went offline on Thursday, the day after ZachXBT published his findings. He confirmed the full dataset was archived before the site was taken down.

The investigation offers a direct view into how DPRK IT worker cells collect payments, maintain fake identities, and move money through crypto and fiat systems, with documentation that shows both the scale and the operational gaps these groups rely on to stay active.