TLDR:
DPRK IT workers operated 30+ fake identities to infiltrate crypto projects via Upwork and LinkedIn.
Google tools and English communication were central to the DPRK team’s coordination in job infiltration schemes.
Blockchain address tied DPRK workers to $680K Favrr exploit in June 2025, per ZachXBT.
Expenses included SSNs, AI tools, VPNs, and rented computers for fraudulent job operations.
A small North Korean cyber team quietly slipped into the heart of the global crypto workforce. They weren’t hacking exchanges directly. Instead, they posed as regular developers, collecting paychecks from unsuspecting blockchain projects.
The group ran dozens of fake identities, complete with forged government documents, rented laptops, and bought LinkedIn accounts.
Crypto sleuth ZachXBT has linked them to a $680,000 exploit earlier this year. The findings shed light on how simple but persistent these operations have become.
DPRK IT Workers Used Fake Identities to Infiltrate Crypto Jobs
According to ZachXBT, an unnamed source compromised a device belonging to one of the IT workers. This revealed a tightly run group of five North Korean operatives managing more than 30 fabricated identities.
These personas had official-looking IDs and purchased access to Upwork and LinkedIn accounts. The aim was simple: get hired at blockchain companies and gain access to internal systems.
1/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects. pic.twitter.com/DEMv0GNM79
— ZachXBT (@zachxbt) August 13, 2025
Exports from their Google Drive and Chrome profiles revealed how the team kept everything organized. They used Google Calendar for meeting schedules, Google Sheets for budgets and reports, and Google Docs for task coordination.
All communications were done in English, a detail that helped them pass early screening stages.
Weekly reports from 2025 showed more than technical updates. They included personal notes about confusion over assignments and efforts to “put enough heart” into work. This was not a sophisticated cyber-espionage operation. It was a grinding attempt to hold onto jobs long enough to extract income.
Their expense logs included purchases of stolen Social Security numbers, phone numbers, AI subscriptions, VPNs, and computer rentals. After setting up, they often worked remotely via AnyDesk using rented or borrowed hardware to keep their location hidden.
Blockchain Trail Connects Group to $680K Favrr Exploit
One Ethereum address, 0x78e1…, stood out among their wallet activity. ZachXBT traced it to the June 2025 Favrr exploit worth $680,000. In that incident, the company’s CTO and several developers were revealed to be DPRK IT workers using fraudulent documents.
From that same address, investigators found connections to additional developer accounts in other crypto projects. This link demonstrated how the same group reused infrastructure across different targets. It also showed how job infiltration can lead to direct financial theft.
Browser history offered more confirmation. Frequent use of Google Translate into Korean, combined with Russian IP addresses, matched patterns seen in previous DPRK-linked cases. This strengthened attribution, even without insider confessions.
Industry Struggles to Detect and Stop IT Workers Infiltration
ZachXBT noted that the main challenge in stopping such operations is the lack of coordination between private firms and service providers. Many hiring teams resist warnings about possible DPRK infiltration, sometimes becoming combative with investigators.
The IT workers themselves are not highly skilled compared to elite cybercrime groups. Instead, their advantage lies in sheer numbers. Hundreds are competing for remote tech jobs worldwide, making detection harder.
Payments from these jobs often move through Payoneer before being converted into cryptocurrency. This provides some traceability, but only if hiring companies share data quickly.
Without that cooperation, the same accounts can cycle through multiple projects before detection.
The post North Korean IT Workers Used 30+ Fake Identities to Land Crypto Jobs, Says ZachXBT appeared first on Blockonomi.