The world of high-stakes cyber warfare usually brings to mind complex coding and impenetrable firewalls. However, a recent data leak proves that even state-sponsored threat actors can be taken down by a very common human error: using a highly insecure password. A counterhacker recently breached a device belonging to a North Korean operative, handing the leaked data over to the well-known blockchain investigator ZachXBT. The findings were significant. A highly organized network of workers had been posing as freelance developers to infiltrate Western companies, earning millions of dollars while quietly plotting to drain the very crypto projects that hired them.
The One Million Dollar a Month Covert Operation
The exposed documents centered around a worker using the alias Jerry, who operated alongside a team of 140 members. Together, they were bringing in an estimated one million dollars a month, accumulating over $3.5 million in crypto since late last year. These operatives were not just hacking from the shadows; they were clocking in for seemingly legitimate remote work. The group coordinated their payroll and assignments through a centralized hub called luckyguys.site. Ironically, while these individuals possessed the technical skills to land lucrative full-stack developer and software engineering roles, they secured their internal payment portal with the shared password “123456.”
Once investigators bypassed that basic password, they discovered a corporate-style leaderboard. This system ranked the IT workers based on how much cryptocurrency they had successfully funneled back to the regime. The payments were generally converted into fiat currency and routed to Chinese bank accounts through online platforms like Payoneer. Tracing this digital paper trail allowed ZachXBT to link the wallets back to entities previously placed on a denylist by Tether and sanctioned by the US Office of Foreign Assets Control.
Forged Resumes and the Growing Remote Work Threat
Landing these high-paying roles required a sophisticated mix of identity masking and social engineering. One operative, going by the name Rascal, was found with folders full of forged documents, including fabricated Hong Kong billing statements and an Irish passport. By utilizing virtual private networks, they masked their true locations, making it appear as though they were working from places like Texas or Europe instead of North Korea. In one intercepted communication, Jerry was caught drafting a cover letter for a WordPress and SEO position at a Texas T-shirt company, asking for an hourly rate of thirty dollars.
This strategy serves a dual purpose for the regime. It provides a steady, untraceable stream of revenue while quietly embedding state-backed actors deep inside the private servers of Western businesses. While blockchain investigators noted that this specific group was less sophisticated than elite North Korean hacking units like AppleJeus, their ability to fly under the radar remains a massive industry risk. With North Korean state-backed hackers appropriating over seven billion dollars since 2009, companies are learning a hard lesson. The next major threat to your company’s security might not be an external breach, but a new remote hire with a flawless, completely fabricated resume.
