According to PANews, a source revealed by ZachXBT has exposed a North Korean IT team using over 30 fake identities to secure developer positions. The team reportedly purchased Upwork and LinkedIn accounts using government IDs and conducted work through AnyDesk. The data obtained includes Google Drive exports, Chrome profiles, and screenshots.
The wallet address 0x78e1 is closely linked to a $680,000 attack on the Favrr platform in June 2025, with more North Korean IT personnel identified. The team utilized Google products to organize tasks and purchased SSNs, AI subscriptions, and VPNs. Some browsing history indicates frequent use of Google Translate for Korean translations, with IP addresses traced to Russia. The lack of vigilance from recruiters and insufficient collaboration between services pose significant challenges in combating such activities.