PANews reported on August 13 that, according to ZachXBT, a source infiltrated the devices of North Korean IT personnel and discovered that their small team obtained developer positions through over 30 fake identities, used government IDs to purchase Upwork and LinkedIn accounts, and worked via AnyDesk. Relevant data includes Google Drive exports, Chrome profiles, and screenshots.
Wallet address 0x78e1 is closely related to the $680,000 attack on the Favrr platform in June 2025, with more North Korean IT personnel also being identified. The team used Google products to schedule tasks and purchased SSNs, AI subscriptions, and VPNs. Some browsing records show frequent use of Google Translate to translate Korean, with the IP address being Russian. The negligence of recruiters and the lack of collaboration between services have become major challenges in combating such activities.