Crypto Investigator Exposes North Korea’s Secret $1 Million A Month Scheme

bitcoinistPublished on 2026-04-09Last updated on 2026-04-09

Abstract

Cryptocurrency investigator ZachXBT exposed a North Korean state-sponsored IT worker scheme generating over $1 million per month. An infostealer malware breach revealed an internal payment server (luckyguys[.]site) used by DPRK operatives to manage crypto payments and fake identities. The data included chat logs, transaction histories, and organizational details, showing over $3.5 million flowed through linked wallets since late 2025. Workers posed as freelancers, used fabricated identities, and targeted DeFi projects. The operation, though less sophisticated than other DPRK hacking groups, highlights the regime's use of crypto for revenue generation and sanctions evasion. The site was taken down after the report.

Crypto detective ZachXBT uncovered an internal North Korean payment server tied to 390+ accounts, chat logs, and transaction histories.

The DPRK Crypto-Infiltration Saga, Part III (From This Week Only)

The North Korean secret crypto-agents saga continues. The hidden network of North Korea–aligned crypto hackers have been slowly exposed on the social network X these past days, following the attribution of the April 1st $285 million attack on Drift Protocol to UNC4736, a North Korea–aligned, state‐sponsored hacking group.

On Sunday, security researcher Taylor Monahan claimed that North Korean IT workers have quietly worked inside more than 40 DeFi projects over roughly seven years. Also on Sunday and Monday, multiple crypto industry actors shared videos and stories of North Korean IT workers failing the “Kim Jong-Un Test”.

Now, it was ZachXBT turn to publish his findings, which he did yesterday on a thread on the social network X. The exfiltrated data, that hadn’t been publicly released before, was shared with him by an anonymous source.

The extraction of the data was possible because one of this IT workers workers from the Democratic People’s Republic of Korea (DPRK) had his device infected with an infostealer (malware designed specifically to steal sensitive information). The malware exposed IPMsg chat logs, fabricated identities, and detailed browser activity.

2/ A DPRK IT worker had their device compromised via infostealer. Extracted data included IPMsg chat logs, fake identities, and browser history.

Digging through the IPMsg logs revealed this site being discussed:
luckyguys[.]site

An internal payment remittance platform,... pic.twitter.com/0rA1CxSmZx

— ZachXBT (@zachxbt) April 8, 2026

The thread walks through how DPRK IT agents, often posing as freelancers abroad, are allegedly getting paid in crypto and funneled back into regime‐linked channels.

A Breakdown Of The Findings

The website that surfaced from the data extraction was called luckyguys.site. According to the crypto detective, it appeared to function as an internal payment remittance hub: a Discord‐like messaging platform where DPRK IT operatives reported and reconciled their crypto payments with superiors.

Believe it or not, the site’s default login password was set to “123456”. At the moment of the data extraction, ten accounts were still using it unchanged.

The 123456 password. Source. ZachXBT on X.

The account roster showed roles, Korean names, locations, and internal group codes that align with known North Korean IT worker structures. ZachXBT highlighted that three of the companies referenced in the data, Sobaeksu, Saenal, and Songkwang, are already subject to OFAC sanctions.

The crypto investigator shared a video showing direct messages from one WebMsg account, “Rascal”, with PC‐1234 (the server admin account) that spell out payment transfers and the use of fake identities from December 2025 to April 2026. Every payment in these chats is routed and finalized via PC‐1234. The logs also reference Hong Kong addresses for billing and delivery of goods, although whether those details are genuine still needs to be confirmed.

4/ Here is one of the WebMsg users ‘Rascal’ and their DMs with PC-1234 detailing payment transfers and the use of fraudulent identities from December 2025 through April 2026.

All payments are processed and confirmed through the server admin account: PC-1234.

Addresses in Hong... pic.twitter.com/akyjmTbL5J

— ZachXBT (@zachxbt) April 8, 2026

The findings only grow more interesting as the thread advances. Since late November 2025, more than $3.5 million has flowed into the payment wallets. The same remittance pattern shows up again and again: users either send crypto in directly from an exchange or service, or off‐ramp into fiat via Chinese bank accounts using platforms such as Payoneer.

After that, PC‐1234 acknowledges the incoming funds and hands over login credentials, which can be for different crypto exchanges or fintech payment apps, depending on the specific user.

5/ Since late November 2025 $3.5M+ was received across the payment wallet addresses.

The remittance pattern was consistent across users:

Users transfer crypto originating from an exchange or service, or convert to fiat via Chinese bank accounts through platforms like Payoneer.... pic.twitter.com/IhbqW3eKKI

— ZachXBT (@zachxbt) April 8, 2026

A Reconstruction Of The Network’s Hierarchy

The crypto detective reconstructed the network’s entire organizational hierarchy using the full dataset and made an interactive version of this org chart.

DPRK IT Workers - Organizational Structure. Source: ZachXBT on X.

When the investigator followed the internal payment wallets on‐chain, he found connections to several already‐attributed DPRK IT worker clusters. The Tron‐based wallet was frozen by Tether in December 2025.

Other interesting findings show that the compromised device, which belonged to someone called “Jerry”, still had Astrill VPN in use, along with multiple fabricated identities being used to apply for jobs. Inside an internal Slack workspace, a user named “Nami” shared a blog post about a deepfake job applicant linked to DPRK IT workers. One colleague asked if the story was about them, while another reminded the group they weren’t allowed to post external links.

8/ Jerry’s compromised device shows usage of Astrill VPN and various fake personas applying for jobs.

An internal Slack showed ‘Nami’ sharing a blog post about a DPRK IT worker deepfake job applicant. A second user asked if it was them, while a third noted they aren’t allowed to... pic.twitter.com/7ZdGbX91WT

— ZachXBT (@zachxbt) April 8, 2026

Jerry exchanged messages with another North Korean IT worker about plans to steal from a project, using a Nigerian proxy to target Arcano, a GalaChain game. If that attack was ever carried out or not is unclear.

9/ Jerry actively discussed stealing from a project with another DPRK IT worker via Nigerian proxy targeting Arcano, a GalaChain game.

However, it remains unclear if the attack later materialized. pic.twitter.com/p9QQLHbB91

— ZachXBT (@zachxbt) April 8, 2026

The admin also distributed 43 Hex-Rays/IDA Pro training materials to the group between November 2025 and February 2026. These sessions focused on disassembly, decompilation, both local and remote debugging, and a range of cybersecurity techniques. One link shared on November 20 was explicitly titled: “using-ida-debugger-to-unpack-an-hostile-pe-executable”.

Final Thoughts

ZachXBT closing image for the thread. Source: ZachXBT on X.

ZachXBT concluded that this DPRK IT worker cluster appears relatively unsophisticated compared with outfits like AppleJeus and TraderTraitor, which run much tighter operations and pose a far greater systemic threat to the crypto industry. His earlier estimated that North Korean IT workers collectively pull in several million dollars a month is reinforced by this dataset.

Today, the investigator posted an update explaining that the internal DPRK payment portal has been pulled offline following the publication of his findings. All of the data was fully captured and archived beforehand.

Update: The internal DPRK payment site has since been taken down after my post.

However all data was archived in advance. pic.twitter.com/9cRdopal5g

— ZachXBT (@zachxbt) April 9, 2026

Crypto is now deeply embedded in geopolitical shadow economies. On‐chain transparency cuts both ways for users and adversaries.

It wouldn’t be surprising if markets start to price higher compliance costs for CEXs and OTC desks, or if there is more friction for stablecoin flows in sanctioned regions. The North Korean saga surely raises the odds of more aggressive enforcement against cross‐border flows, privacy tools, and high‐risk venues.

Yesterday, Bitcoin bounced back and reclaimed $72k. At the moment of writing, BTC trades for around $71k on the daily chart. Source: BTCUSDT on Tradingview.

Cover image from Perplexity. BTCUSDT chart from Tradingview.

Garlinghouse Says Ripple Remains ‘Extremely Committed’ To XRP

bitcoinist2h ago

Are Satoshi’s 600,000 BTC At Risk? Unveiling The Hard Fork That Targets Bitcoin

bitcoinist2h ago

Bitcoin Gives US Leverage Against China, Defense Secretary Hegseth Says

bitcoinist4h ago

Global Crypto Pig-Butchering Crackdown: US, UAE, And China Bust 9 Scam Centers

bitcoinist5h ago

Coinbase + Glassnode: Charting Crypto Q2 2026

insights.glassnode6h ago

Trading

Spot

Futures

Hot Articles

What is SONIC

Sonic: Pioneering the Future of Gaming in Web3 Introduction to Sonic In the ever-evolving landscape of Web3, the gaming industry stands out as one of the most dynamic and promising sectors. At the forefront of this revolution is Sonic, a project designed to amplify the gaming ecosystem on the Solana blockchain. Leveraging cutting-edge technology, Sonic aims to deliver an unparalleled gaming experience by efficiently processing millions of requests per second, ensuring that players enjoy seamless gameplay while maintaining low transaction costs. This article delves into the intricate details of Sonic, exploring its creators, funding sources, operational mechanics, and the timeline of significant events that have shaped its journey. What is Sonic? Sonic is an innovative layer-2 network that operates atop the Solana blockchain, specifically tailored to enhance the existing Solana gaming ecosystem. It accomplishes this through a customised, VM-agnostic game engine paired with a HyperGrid interpreter, facilitating sovereign game economies that roll up back to the Solana platform. The primary goals of Sonic include: Enhanced Gaming Experiences: Sonic is committed to offering lightning-fast on-chain gameplay, allowing players and developers to engage with games at previously unattainable speeds. Atomic Interoperability: This feature enables transactions to be executed within Sonic without the need to redeploy Solana programmes and accounts. This makes the process more efficient and directly benefits from Solana Layer1 services and liquidity. Seamless Deployment: Sonic allows developers to write for Ethereum Virtual Machine (EVM) based systems and execute them on Solana’s SVM infrastructure. This interoperability is crucial for attracting a broader range of dApps and decentralised applications to the platform. Support for Developers: By offering native composable gaming primitives and extensible data types - dining within the Entity-Component-System (ECS) framework - game creators can craft intricate business logic with ease. Overall, Sonic's unique approach not only caters to players but also provides an accessible and low-cost environment for developers to innovate and thrive. Creator of Sonic The information regarding the creator of Sonic is somewhat ambiguous. However, it is known that Sonic's SVM is owned by the company Mirror World. The absence of detailed information about the individuals behind Sonic reflects a common trend in several Web3 projects, where collective efforts and partnerships often overshadow individual contributions. Investors of Sonic Sonic has garnered considerable attention and support from various investors within the crypto and gaming sectors. Notably, the project raised an impressive $12 million during its Series A funding round. The round was led by BITKRAFT Ventures, with other notable investors including Galaxy, Okx Ventures, Interactive, Big Brain Holdings, and Mirana. This financial backing signifies the confidence that investment foundations have in Sonic’s potential to revolutionise the Web3 gaming landscape, further validating its innovative approaches and technologies. How Does Sonic Work? Sonic utilises the HyperGrid framework, a sophisticated parallel processing mechanism that enhances its scalability and customisability. Here are the core features that set Sonic apart: Lightning Speed at Low Costs: Sonic offers one of the fastest on-chain gaming experiences compared to other Layer-1 solutions, powered by the scalability of Solana’s virtual machine (SVM). Atomic Interoperability: Sonic enables transaction execution without redeployment of Solana programmes and accounts, effectively streamlining the interaction between users and the blockchain. EVM Compatibility: Developers can effortlessly migrate decentralised applications from EVM chains to the Solana environment using Sonic’s HyperGrid interpreter, increasing the accessibility and integration of various dApps. Ecosystem Support for Developers: By exposing native composable gaming primitives, Sonic facilitates a sandbox-like environment where developers can experiment and implement business logic, greatly enhancing the overall development experience. Monetisation Infrastructure: Sonic natively supports growth and monetisation efforts, providing frameworks for traffic generation, payments, and settlements, thereby ensuring that gaming projects are not only viable but also sustainable financially. Timeline of Sonic The evolution of Sonic has been marked by several key milestones. Below is a brief timeline highlighting critical events in the project's history: 2022: The Sonic cryptocurrency was officially launched, marking the beginning of its journey in the Web3 gaming arena. 2024: June: Sonic SVM successfully raised $12 million in a Series A funding round. This investment allowed Sonic to further develop its platform and expand its offerings. August: The launch of the Sonic Odyssey testnet provided users with the first opportunity to engage with the platform, offering interactive activities such as collecting rings—a nod to gaming nostalgia. October: SonicX, an innovative crypto game integrated with Solana, made its debut on TikTok, capturing the attention of over 120,000 users within a short span. This integration illustrated Sonic’s commitment to reaching a broader, global audience and showcased the potential of blockchain gaming. Key Points Sonic SVM is a revolutionary layer-2 network on Solana explicitly designed to enhance the GameFi landscape, demonstrating great potential for future development. HyperGrid Framework empowers Sonic by introducing horizontal scaling capabilities, ensuring that the network can handle the demands of Web3 gaming. Integration with Social Platforms: The successful launch of SonicX on TikTok displays Sonic’s strategy to leverage social media platforms to engage users, exponentially increasing the exposure and reach of its projects. Investment Confidence: The substantial funding from BITKRAFT Ventures, among others, emphasizes the robust backing Sonic has, paving the way for its ambitious future. In conclusion, Sonic encapsulates the essence of Web3 gaming innovation, striking a balance between cutting-edge technology, developer-centric tools, and community engagement. As the project continues to evolve, it is poised to redefine the gaming landscape, making it a notable entity for gamers and developers alike. As Sonic moves forward, it will undoubtedly attract greater interest and participation, solidifying its place within the broader narrative of blockchain gaming.

1.3k Total ViewsPublished 2024.04.04Updated 2024.12.03

What is $S$

Understanding SPERO: A Comprehensive Overview Introduction to SPERO As the landscape of innovation continues to evolve, the emergence of web3 technologies and cryptocurrency projects plays a pivotal role in shaping the digital future. One project that has garnered attention in this dynamic field is SPERO, denoted as SPERO,$$s$. This article aims to gather and present detailed information about SPERO, to help enthusiasts and investors understand its foundations, objectives, and innovations within the web3 and crypto domains. What is SPERO,$$s$? SPERO,$$s$ is a unique project within the crypto space that seeks to leverage the principles of decentralisation and blockchain technology to create an ecosystem that promotes engagement, utility, and financial inclusion. The project is tailored to facilitate peer-to-peer interactions in new ways, providing users with innovative financial solutions and services. At its core, SPERO,$$s$ aims to empower individuals by providing tools and platforms that enhance user experience in the cryptocurrency space. This includes enabling more flexible transaction methods, fostering community-driven initiatives, and creating pathways for financial opportunities through decentralised applications (dApps). The underlying vision of SPERO,$$s$ revolves around inclusiveness, aiming to bridge gaps within traditional finance while harnessing the benefits of blockchain technology. Who is the Creator of SPERO,$$s$? The identity of the creator of SPERO,$$s$ remains somewhat obscure, as there are limited publicly available resources providing detailed background information on its founder(s). This lack of transparency can stem from the project's commitment to decentralisation—an ethos that many web3 projects share, prioritising collective contributions over individual recognition. By centring discussions around the community and its collective goals, SPERO,$$s$ embodies the essence of empowerment without singling out specific individuals. As such, understanding the ethos and mission of SPERO remains more important than identifying a singular creator. Who are the Investors of SPERO,$$s$? SPERO,$$s$ is supported by a diverse array of investors ranging from venture capitalists to angel investors dedicated to fostering innovation in the crypto sector. The focus of these investors generally aligns with SPERO's mission—prioritising projects that promise societal technological advancement, financial inclusivity, and decentralised governance. These investor foundations are typically interested in projects that not only offer innovative products but also contribute positively to the blockchain community and its ecosystems. The backing from these investors reinforces SPERO,$$s$ as a noteworthy contender in the rapidly evolving domain of crypto projects. How Does SPERO,$$s$ Work? SPERO,$$s$ employs a multi-faceted framework that distinguishes it from conventional cryptocurrency projects. Here are some of the key features that underline its uniqueness and innovation: Decentralised Governance: SPERO,$$s$ integrates decentralised governance models, empowering users to participate actively in decision-making processes regarding the project’s future. This approach fosters a sense of ownership and accountability among community members. Token Utility: SPERO,$$s$ utilises its own cryptocurrency token, designed to serve various functions within the ecosystem. These tokens enable transactions, rewards, and the facilitation of services offered on the platform, enhancing overall engagement and utility. Layered Architecture: The technical architecture of SPERO,$$s$ supports modularity and scalability, allowing for seamless integration of additional features and applications as the project evolves. This adaptability is paramount for sustaining relevance in the ever-changing crypto landscape. Community Engagement: The project emphasises community-driven initiatives, employing mechanisms that incentivise collaboration and feedback. By nurturing a strong community, SPERO,$$s$ can better address user needs and adapt to market trends. Focus on Inclusion: By offering low transaction fees and user-friendly interfaces, SPERO,$$s$ aims to attract a diverse user base, including individuals who may not previously have engaged in the crypto space. This commitment to inclusion aligns with its overarching mission of empowerment through accessibility. Timeline of SPERO,$$s$ Understanding a project's history provides crucial insights into its development trajectory and milestones. Below is a suggested timeline mapping significant events in the evolution of SPERO,$$s$: Conceptualisation and Ideation Phase: The initial ideas forming the basis of SPERO,$$s$ were conceived, aligning closely with the principles of decentralisation and community focus within the blockchain industry. Launch of Project Whitepaper: Following the conceptual phase, a comprehensive whitepaper detailing the vision, goals, and technological infrastructure of SPERO,$$s$ was released to garner community interest and feedback. Community Building and Early Engagements: Active outreach efforts were made to build a community of early adopters and potential investors, facilitating discussions around the project’s goals and garnering support. Token Generation Event: SPERO,$$s$ conducted a token generation event (TGE) to distribute its native tokens to early supporters and establish initial liquidity within the ecosystem. Launch of Initial dApp: The first decentralised application (dApp) associated with SPERO,$$s$ went live, allowing users to engage with the platform's core functionalities. Ongoing Development and Partnerships: Continuous updates and enhancements to the project's offerings, including strategic partnerships with other players in the blockchain space, have shaped SPERO,$$s$ into a competitive and evolving player in the crypto market. Conclusion SPERO,$$s$ stands as a testament to the potential of web3 and cryptocurrency to revolutionise financial systems and empower individuals. With a commitment to decentralised governance, community engagement, and innovatively designed functionalities, it paves the way toward a more inclusive financial landscape. As with any investment in the rapidly evolving crypto space, potential investors and users are encouraged to research thoroughly and engage thoughtfully with the ongoing developments within SPERO,$$s$. The project showcases the innovative spirit of the crypto industry, inviting further exploration into its myriad possibilities. While the journey of SPERO,$$s$ is still unfolding, its foundational principles may indeed influence the future of how we interact with technology, finance, and each other in interconnected digital ecosystems.

54 Total ViewsPublished 2024.12.17Updated 2024.12.17

What is AGENT S

Agent S: The Future of Autonomous Interaction in Web3 Introduction In the ever-evolving landscape of Web3 and cryptocurrency, innovations are constantly redefining how individuals interact with digital platforms. One such pioneering project, Agent S, promises to revolutionise human-computer interaction through its open agentic framework. By paving the way for autonomous interactions, Agent S aims to simplify complex tasks, offering transformative applications in artificial intelligence (AI). This detailed exploration will delve into the project's intricacies, its unique features, and the implications for the cryptocurrency domain. What is Agent S? Agent S stands as a groundbreaking open agentic framework, specifically designed to tackle three fundamental challenges in the automation of computer tasks: Acquiring Domain-Specific Knowledge: The framework intelligently learns from various external knowledge sources and internal experiences. This dual approach empowers it to build a rich repository of domain-specific knowledge, enhancing its performance in task execution. Planning Over Long Task Horizons: Agent S employs experience-augmented hierarchical planning, a strategic approach that facilitates efficient breakdown and execution of intricate tasks. This feature significantly enhances its ability to manage multiple subtasks efficiently and effectively. Handling Dynamic, Non-Uniform Interfaces: The project introduces the Agent-Computer Interface (ACI), an innovative solution that enhances the interaction between agents and users. Utilizing Multimodal Large Language Models (MLLMs), Agent S can navigate and manipulate diverse graphical user interfaces seamlessly. Through these pioneering features, Agent S provides a robust framework that addresses the complexities involved in automating human interaction with machines, setting the stage for myriad applications in AI and beyond. Who is the Creator of Agent S? While the concept of Agent S is fundamentally innovative, specific information about its creator remains elusive. The creator is currently unknown, which highlights either the nascent stage of the project or the strategic choice to keep founding members under wraps. Regardless of anonymity, the focus remains on the framework's capabilities and potential. Who are the Investors of Agent S? As Agent S is relatively new in the cryptographic ecosystem, detailed information regarding its investors and financial backers is not explicitly documented. The lack of publicly available insights into the investment foundations or organisations supporting the project raises questions about its funding structure and development roadmap. Understanding the backing is crucial for gauging the project's sustainability and potential market impact. How Does Agent S Work? At the core of Agent S lies cutting-edge technology that enables it to function effectively in diverse settings. Its operational model is built around several key features: Human-like Computer Interaction: The framework offers advanced AI planning, striving to make interactions with computers more intuitive. By mimicking human behaviour in tasks execution, it promises to elevate user experiences. Narrative Memory: Employed to leverage high-level experiences, Agent S utilises narrative memory to keep track of task histories, thereby enhancing its decision-making processes. Episodic Memory: This feature provides users with step-by-step guidance, allowing the framework to offer contextual support as tasks unfold. Support for OpenACI: With the ability to run locally, Agent S allows users to maintain control over their interactions and workflows, aligning with the decentralised ethos of Web3. Easy Integration with External APIs: Its versatility and compatibility with various AI platforms ensure that Agent S can fit seamlessly into existing technological ecosystems, making it an appealing choice for developers and organisations. These functionalities collectively contribute to Agent S's unique position within the crypto space, as it automates complex, multi-step tasks with minimal human intervention. As the project evolves, its potential applications in Web3 could redefine how digital interactions unfold. Timeline of Agent S The development and milestones of Agent S can be encapsulated in a timeline that highlights its significant events: September 27, 2024: The concept of Agent S was launched in a comprehensive research paper titled “An Open Agentic Framework that Uses Computers Like a Human,” showcasing the groundwork for the project. October 10, 2024: The research paper was made publicly available on arXiv, offering an in-depth exploration of the framework and its performance evaluation based on the OSWorld benchmark. October 12, 2024: A video presentation was released, providing a visual insight into the capabilities and features of Agent S, further engaging potential users and investors. These markers in the timeline not only illustrate the progress of Agent S but also indicate its commitment to transparency and community engagement. Key Points About Agent S As the Agent S framework continues to evolve, several key attributes stand out, underscoring its innovative nature and potential: Innovative Framework: Designed to provide an intuitive use of computers akin to human interaction, Agent S brings a novel approach to task automation. Autonomous Interaction: The ability to interact autonomously with computers through GUI signifies a leap towards more intelligent and efficient computing solutions. Complex Task Automation: With its robust methodology, it can automate complex, multi-step tasks, making processes faster and less error-prone. Continuous Improvement: The learning mechanisms enable Agent S to improve from past experiences, continually enhancing its performance and efficacy. Versatility: Its adaptability across different operating environments like OSWorld and WindowsAgentArena ensures that it can serve a broad range of applications. As Agent S positions itself in the Web3 and crypto landscape, its potential to enhance interaction capabilities and automate processes signifies a significant advancement in AI technologies. Through its innovative framework, Agent S exemplifies the future of digital interactions, promising a more seamless and efficient experience for users across various industries. Conclusion Agent S represents a bold leap forward in the marriage of AI and Web3, with the capacity to redefine how we interact with technology. While still in its early stages, the possibilities for its application are vast and compelling. Through its comprehensive framework addressing critical challenges, Agent S aims to bring autonomous interactions to the forefront of the digital experience. As we move deeper into the realms of cryptocurrency and decentralisation, projects like Agent S will undoubtedly play a crucial role in shaping the future of technology and human-computer collaboration.

566 Total ViewsPublished 2025.01.14Updated 2025.01.14

Discussions

Welcome to the HTX Community. Here, you can stay informed about the latest platform developments and gain access to professional market insights. Users' opinions on the price of S (S) are presented below.