Renowned on-chain sleuth ZachXBT, citing white-hat hacker research, reveals how a five-person North Korean hacker team manipulated fake identities to infiltrate development projects. This article delves into their work patterns, expenditure details, and fund flows, providing key insights for mitigating this threat. This article is based on an article written by ZachXBT and compiled, edited, and written by Azuma and Odaily. (Previous: Microsoft and the FBI team up to combat North Korean hacker scams! 3,000 accounts frozen, American "worker accomplices" apprehended.) (Background: BitoPro hacking investigation reveals North Korean Lazarus! $11.5 million stolen through social engineering attacks.) North Korean hackers have always been a significant threat to the cryptocurrency market. In previous years, victims and security professionals could only infer North Korean hacker behavior patterns by reverse engineering related security incidents. However, yesterday, renowned blockchain detective ZachXBT, in a recent tweet, cited a white-hat hacker's investigation and analysis of North Korean hackers. This, for the first time, proactively revealed the North Korean hackers' "working methods," potentially providing positive insights into preemptive security measures for industry projects. The following is ZachXBT's full post, compiled by Odaily Planet Daily. An anonymous hacker recently compromised the device of a North Korean IT worker, revealing how a five-person technical team operated under over 30 fake identities. The team not only possessed fake government-issued IDs but also infiltrated various development projects by purchasing Upwork and LinkedIn accounts. Investigators obtained Google Drive data, Chrome browser settings, and device screenshots. Data revealed that the team relied heavily on Google tools to coordinate work schedules, assign tasks, and manage budgets, with all communications conducted in English. A weekly report from 2025 revealed the hacker team's work patterns and the difficulties they encountered during the period. For example, a member once complained that he "couldn't understand the work requirements and didn't know what to do." The corresponding solution column was filled in with "dedicated and redoubled efforts"... Expense details showed that their expenses included purchasing Social Security numbers (SSNs), Upwork and LinkedIn account transactions, renting phone numbers, subscribing to AI services, renting computers, and purchasing VPN/proxy services.One spreadsheet detailed the schedule and scripts for meetings attended under the false identity "Henry Zhang." The process revealed that these North Korean IT workers would first purchase Upwork and LinkedIn accounts, rent computer equipment, and then complete outsourced work using the AnyDesk remote control tool. One of the wallet addresses used for sending and receiving payments was 0x78e1a4781d184e7ce6a124dd96e765e2bea96f2c. This address was closely linked to the $680,000 Favrr protocol attack in June 2025. It was later confirmed that the chief technology officer and other developers were North Korean IT workers with forged credentials. This address also allowed the identification of North Korean IT personnel involved in other infiltration projects. The following key evidence was also found in the team's search and browser history. One might ask, "How can we confirm they are from North Korea?" In addition to all the fraudulent documents detailed above, their search history also shows frequent use of Google Translate, using Russian IP addresses to translate into Korean. Currently, the main challenges facing businesses in preventing North Korean IT workers are concentrated in the following areas: Systemic Collaboration Failure: There is a lack of effective information sharing and cooperation mechanisms between platform providers and private enterprises. Employer Oversight: Hiring teams often become defensive after receiving risk warnings, or even refuse to cooperate with investigations. Numerous Forces: While their technical methods are relatively simple, they continue to penetrate the global job market thanks to their vast pool of job seekers. Funding Conversion: Payment platforms like Payoneer are frequently used to convert fiat currency income earned from development work into cryptocurrency. I've already covered the indicators to watch for many times; those interested can review my tweets, so I won't repeat them here. Related Report: Google Cloud Warns: North Korean IT Espionage Attacks Expand, Global Businesses Should Be Vigilant. (World's Lowest Internet Penetration Rate) Why is the North Korean Hacker Lazarus so powerful? Repeatedly breaching the security networks of major companies, Lazarus has become Kim Jong-un's money-making machine for nuclear weapons development. North Korea's Bitcoin reserves have surged by 13,000, becoming the third-largest holder after the US and UK. How is the Lazarus hacker impacting the global crypto arms race? "ZachXBT Full Text: After Dehacking North Korean Hacker Equipment, I Understood Their Working Methods" was originally published on BlockTempo (Dynamic Trends - the most influential blockchain news media).
ZachXBT Full Text: After Dehacking North Korean Hacking Equipment, I Understood Their "Working" Mode
Disclaimer: Includes third-party opinions. No financial advice. May include sponsored content. See T&Cs.
Explore the latest crypto news
⚡️ Be a part of the latests discussions in crypto
💬 Interact with your favorite creators
👍 Enjoy content that interests you
Email / Phone number
Relevant Creator
@Square-Creator-460127774