ZachXBT exposes North Korean IT workers operating 30 fake identities across development platforms
Blockchain investigator ZachXBT exposed a sophisticated North Korean IT worker operation that infiltrates Western technology companies through remote development positions.
In an Aug. 13 report, the investigator highlighted that an unnamed source compromised a device belonging to one of five DPRK IT workers, providing unprecedented access to their operational methods.
The team systematically purchased fake social security numbers, Upwork and LinkedIn accounts, phone numbers, and computer rentals to secure developer jobs at various projects.
Google Drive exports and Chrome browser profiles revealed that the workers extensively used Google products to organize team schedules, tasks, and budgets while communicating primarily in English.
Weekly reports from 2025 revealed that team members were struggling with job requirements, with one noting, “I can’t understand job requirement, and don’t know what I need to do,” alongside the directive to “put enough efforts in heart.”
Operational methods and technology stack
The DPRK workers followed a consistent pattern of purchasing Upwork and LinkedIn accounts, buying or renting computers, then using AnyDesk remote access software to conduct work for their employers.
Expense spreadsheets documented purchases of artificial intelligence subscriptions, VPNs, proxies, and other tools needed to maintain their fake identities.
Meeting schedules and scripts were maintained for each fake identity, including detailed personas like “Henry Zhang” with complete backstories and work histories.
The workers used a wallet address to send and receive payments, to which ZachXBT linked multiple fraudulent operations.
The wallet address tied the team to the $680,000 Favrr exploit from June 2025, where the company’s CTO and other developers were revealed as DPRK IT workers using fraudulent documents.
ZachXBT identified the Favrr CTO “Alex Hong” as having a suspicious background with recently deleted LinkedIn profiles and unverifiable work history.
Unsophisticated but persistent
Browser history from the compromised devices showed frequent Google Translate usage with Korean translations while operating from Russian IP addresses.
The evidence confirmed the workers’ North Korean origins despite their sophisticated English communications and Western personas.
ZachXBT noted the main challenge in combating DPRK IT workers stems from a lack of collaboration between services and the private sector, combined with negligence by hiring teams who become defensive when alerted about potential infiltration.
The workers convert earnings from development work into cryptocurrency through Payoneer, with the investigator noting they are “in no way sophisticated but are persistent since there are so many flooding the job market globally for roles.”
The exposure reveals the scale of North Korean infiltration into Western technology companies, with the compromised operation representing just one team among potentially hundreds operating similar schemes across remote development platforms.
The post ZachXBT exposes North Korean IT workers operating 30 fake identities across development platforms appeared first on CryptoSlate.
Read More
ZachXBT exposes North Korean IT workers operating 30 fake identities across development platforms
Blockchain investigator ZachXBT exposed a sophisticated North Korean IT worker operation that infiltrates Western technology companies through remote development positions.
In an Aug. 13 report, the investigator highlighted that an unnamed source compromised a device belonging to one of five DPRK IT workers, providing unprecedented access to their operational methods.
The team systematically purchased fake social security numbers, Upwork and LinkedIn accounts, phone numbers, and computer rentals to secure developer jobs at various projects.
Google Drive exports and Chrome browser profiles revealed that the workers extensively used Google products to organize team schedules, tasks, and budgets while communicating primarily in English.
Weekly reports from 2025 revealed that team members were struggling with job requirements, with one noting, “I can’t understand job requirement, and don’t know what I need to do,” alongside the directive to “put enough efforts in heart.”
Operational methods and technology stack
The DPRK workers followed a consistent pattern of purchasing Upwork and LinkedIn accounts, buying or renting computers, then using AnyDesk remote access software to conduct work for their employers.
Expense spreadsheets documented purchases of artificial intelligence subscriptions, VPNs, proxies, and other tools needed to maintain their fake identities.
Meeting schedules and scripts were maintained for each fake identity, including detailed personas like “Henry Zhang” with complete backstories and work histories.
The workers used a wallet address to send and receive payments, to which ZachXBT linked multiple fraudulent operations.
The wallet address tied the team to the $680,000 Favrr exploit from June 2025, where the company’s CTO and other developers were revealed as DPRK IT workers using fraudulent documents.
ZachXBT identified the Favrr CTO “Alex Hong” as having a suspicious background with recently deleted LinkedIn profiles and unverifiable work history.
Unsophisticated but persistent
Browser history from the compromised devices showed frequent Google Translate usage with Korean translations while operating from Russian IP addresses.
The evidence confirmed the workers’ North Korean origins despite their sophisticated English communications and Western personas.
ZachXBT noted the main challenge in combating DPRK IT workers stems from a lack of collaboration between services and the private sector, combined with negligence by hiring teams who become defensive when alerted about potential infiltration.
The workers convert earnings from development work into cryptocurrency through Payoneer, with the investigator noting they are “in no way sophisticated but are persistent since there are so many flooding the job market globally for roles.”
The exposure reveals the scale of North Korean infiltration into Western technology companies, with the compromised operation representing just one team among potentially hundreds operating similar schemes across remote development platforms.
The post ZachXBT exposes North Korean IT workers operating 30 fake identities across development platforms appeared first on CryptoSlate.
Read More