ChainCatcher message, according to ZachXBT, a source has infiltrated North Korean IT personnel's devices and discovered that their small team uses over 30 false identities to obtain developer positions, purchases Upwork and LinkedIn accounts using government IDs, and conducts work through AnyDesk. Relevant data includes Google Drive exports, Chrome profiles, and screenshots.
Wallet address 0x78e1 is closely related to the $680,000 attack on the Favrr platform in June 2025, with more North Korean IT personnel identified. The team utilizes Google products to schedule tasks and purchases SSN, AI subscriptions, and VPNs, among others. Some browsing records show frequent use of Google Translate to translate Korean, with IP addresses traced to Russia. The negligence of recruiters and the lack of collaboration between services are major challenges in combating such activities.