A group of North Korean IT workers generated more than $3.5 million in crypto by posing as developers and infiltrating projects, according to leaked data shared by blockchain investigator ZachXBT.
The operation involved around 140 workers led by an individual known as “Jerry,” who collectively earned about $1 million per month by securing remote IT roles under false identities.
The group coordinated crypto payments through a website using the weak shared password “123456,” exposing major operational security flaws despite the scale of the scheme.
Some participants were linked to entities including Sobaeksu, Saenal, and Songkwang, which are sanctioned by the US Office of Foreign Assets Control.
Funds were converted into fiat and transferred to Chinese bank accounts through platforms such as Payoneer, with blockchain tracing linking wallets to previously blacklisted addresses by Tether.
The case highlights ongoing threats from North Korean cyber operations, which have stolen more than $7 billion since 2009, including major incidents such as the Ronin bridge hack and the Bybit hack.
While the exposed group appeared less sophisticated than units like AppleJeus and TraderTraitor, analysts warn that state-backed cyber activity remains one of the most persistent risks to the crypto industry.