Renowned blockchain investigator ZachXBT has exposed an elaborate scheme involving five North Korean IT workers who created more than 30 fake identities.
These operatives used government-issued ID cards and purchased professional accounts on Upwork and LinkedIn to get jobs with cryptocurrency projects as developers.
Anonymous Source Compromises North Korean IT Workers’ Devices to Reveal Operation Details
According to on-chain intelligence published on August 13, an unidentified informant successfully breached a Democratic People’s Republic of Korea (DPRK) IT worker’s device, providing insight into how this five-person team executed their employment fraud operation.
The compromised data included exports from Google Drive, Chrome browser profiles, and device screenshots.
3/ Another spreadsheet shows weekly reports for team members from 2025 which provides insight into how they operate and what they think about.
“I can't understand job requirement, and don't know what I need to do”
“Solution / fix: Put enough efforts in heart” pic.twitter.com/rYkDC3jESf— ZachXBT (@zachxbt) August 13, 2025
All communications were conducted in English. Financial documentation obtained from the breach shows the technology job syndicate’s systematic approach to acquiring the necessary tools for their deception.
Their expense spreadsheet details purchases of Social Security numbers, professional (LinkedIn and Upwork) accounts, phone numbers, artificial-intelligence subscriptions, computer rental services, and VPN/proxy networks.
All of these were designed to meet blockchain industry employment requirements and facilitate access to internal systems and codebases.
ZachXBT’s investigation revealed documentation outlining meeting schedules for targeted cryptocurrency projects, alongside detailed scripts for maintaining the fraudulent identity “Henry Zhang.”
The operatives utilized AnyDesk software to access convenient VPN services, allowing them to appear as if they were located in regions they falsely claimed as their residence to employers.
The leaked materials included Telegram conversations where team members discussed successful job placements and payment arrangements. In these exchanges, they shared ERC-20 wallet addresses designated for salary deposits.
The investigation took a major turn when ZachXBT traced one frequently used ERC-20 wallet address (0x78e1) back to the recent $680,000 Favrr exploit that occurred in June 2025.
This incident involved the project’s chief technology officer and additional developers who were later identified as DPRK IT workers operating with fraudulent credentials.
8/ The 0x78e1 address is closely tied onchain to the recent $680K Favrr exploit from June 2025 where their CTO and other devs turned out to be DPRK ITWs with fraudulent documents.
Additional DPRK ITWs were identified at projects from the 0x78e1 address. https://t.co/BPZmFo8n5d pic.twitter.com/DcQnvNetxY— ZachXBT (@zachxbt) August 13, 2025
This revelation prompted several cryptocurrency projects to conduct internal investigations, discovering that some of their development teams and decision-makers were North Korean operatives using false identities.
Evidence Confirms North Korean Workers’ Origin Despite Skepticism
When community members questioned the operatives’ North Korean origins, ZachXBT pointed to compelling evidence within the leaked materials.
Beyond the fraudulent documentation, browser history data showed extensive Google Translate usage with Korean language translations, all originating from Russian IP addresses.
10/ Still one of the more common questions is “how do you know they are North Korean?”
Well besides all of the fraudulent documents detailed above their search history showed frequent Google Translate usage with translations to Korean with a Russian IP. pic.twitter.com/wtTgzaiNcy— ZachXBT (@zachxbt) August 13, 2025
The cryptocurrency community’s reaction has been mixed, with many pointing to hiring negligence among teams that become defensive when alerted to potential security threats.
Some community members emphasized the depth of the fake identity and account creation ecosystem, suggesting that numerous crypto projects may be unaware of who actually has access to their GitHub repositories and sensitive code.
“It’s an operational hazard for the industry,” explained Shaun Potts, founder of crypto-focused recruiting firm Plexus, who told Cryptonews in a related situation in July.
“It’s an ongoing challenge, similar to how hacking persists in technology. While you cannot eliminate it entirely, you can minimize associated risks.”
The crypto industry has shown varying success rates in identifying these threats.
For example, cryptocurrency exchange Kraken successfully identified a potential North Korean threat actor masquerading as a job candidate in May.
However, others have fallen victim to these sophisticated operations.
In January, these technologically adept scammers allegedly stole $2.2 million worth of cryptocurrency from New York residents through text message campaigns claiming to offer remote job assistance.
DPRK-linked perpetrators landed in remote IT jobs using fake and stolen identities and exploited their company’s trust to steal and launder over $900,000 in crypto.#DPRK #NorthKoreaCrypto #CryptoScamhttps://t.co/6UvXug5OZp
— Cryptonews.com (@cryptonews) July 1, 2025
The scheme involved requesting job-seekers to deposit Tether (USDT) and USD Coin (USDC) stablecoins into designated cryptocurrency accounts.
Similarly, in June, U.S. authorities seized more than $7.7 million in cryptocurrency allegedly earned through a covert network of North Korean IT workers who posed as foreign freelancers while channeling their income back to the North Korean government.
The post ZachXBT Exposes 5 North Korean Workers Running 30+ Fake Identities to Target Crypto Projects appeared first on Cryptonews.
