en flag
en flag

ZachXBT exposed a network linked to North Korea that stole identities

Blockchain investigation expert ZachXBT has uncovered a network allegedly linked to North Korean individuals, generating approximately $1 million per month through identity fraud and money laundering channels.

4/9/20262 min read

$1 million stolen per month

Renowned blockchain investigator ZachXBT has released detailed findings from a compromised internal payment server belonging to a North Korean IT operative network , exposing a systematic revenue-generating scheme processing approximately $1 million per month through fake identities and converting cryptocurrency to fiat currency. The leaked dataset, publicly shared on X on April 8, 2026, includes 390 accounts, chat logs, transaction records, and organizational details covering activity from late November 2025 onwards , with total inflows exceeding $3.5 million.

This operation centered around an internal money transfer platform called luckyguys.site, which served as a central hub for reporting earnings, processing payments, and managing cash outflows. Employees used forged identities, fake legal documents, and fictitious professional credentials to secure IT and remote development positions, often in the cryptocurrency field, while simultaneously transferring earned funds back to the regime through cryptocurrency channels.

From isolated attacks to recurring revenue streams

Previous stages of cryptocurrency crime were primarily large-scale, high-profile mining operations. The current model is different. It's more like a business.

Instead of directly targeting protocols, the network is believed to rely on spoofing identities, access to freelance and remote work platforms, and the steady conversion of cryptocurrency earnings into fiat currency.

The result is a system that generates predictable monthly income, rather than erratic profits. This marks a shift from sporadic attacks to continuous exploitation.

The role of identity in the new threat model

What makes this network particularly difficult to detect is not its technical sophistication at the protocol level, but its use of identity. By leveraging forged or stolen identities, the perpetrators can:

  • Bypass registration controls

  • Integrating into legitimate economic activities.

  • Transfer money without immediately arousing suspicion.

This shifts the attack surface away from smart contracts to compliance infrastructure, where verification systems are often fragmented across multiple jurisdictions. In this model, the weakest link is no longer the code—but identity verification.

Operating money laundering channels

The ability to convert digital assets into fiat currency remains the most crucial step in any illicit operation. The network reportedly appears to have developed reliable pathways to:

  • Withdraw money through exchanges or intermediaries.

  • Distribute cash flow across multiple accounts.

  • Avoid concentrating money in a way that could trigger a warning.

Law enforcement is most effective at the intersection of cryptocurrency and traditional finance. Once funds have been successfully withdrawn, tracing them becomes significantly more complex.

The alleged link to North Korea aligns with previous intelligence assessments, suggesting these groups are increasingly relying on cryptocurrency as a funding source. Instead of solely relying on large-scale theft, these groups are diversifying their income streams, reducing operational visibility, and building systems that can endure for the long term.

Our review

This latest incident aligns with previous investigations by ZachXBT, documenting North Korean agents infiltrating dozens of cryptocurrency projects using over 30 fake identities and generating $300,000-$500,000 per month in previous schemes. U.S. Treasury sanctions in March 2026 targeted similar networks, with an estimated nearly $800 million generated in 2024 alone through such fraudulent activities.

The current campaign highlights how individuals from North Korea continue to exploit the remote work trend in the technology and cryptocurrency sectors, using forged documents to bypass KYC/AML checks during the recruitment and withdrawal stages.


Disclaimer: The information presented in this article is the author's personal opinion in the field of cryptocurrency. This is not financial or investment advice. All investment decisions should be based on careful consideration of your personal portfolio and risk tolerance. The views expressed in this article do not represent the official stance of the platform. We recommend that readers conduct their own research and consult with experts before making any investment decisions.

Compiled and analyzed by HCCVenture

Follow HCCVenture here: https://link3.to/holdcoincventure

Explore HCCVenture group

HCCVenture © 2023. All rights reserved.

About us

Clause

Privacy Policy

Connect with us

Strategic partner

Media Relations

Investors

Popular content

News

Market Analysis

On-chain Data

→ Market Report

→ ETFs Cash Flow

Strategic Insights

→ Project perspective

→ Trading floor

Share knowledge

Contact to us

E-mail : sp_contact@hccventure.com

Register : https://linktr.ee/holdcoincventure

Disclaimer: The information on this website is for informational purposes only and should not be considered investment advice. We are not responsible for any risks or losses arising from investment decisions based on the content here.

TERMS AND CONDITIONS • CUSTOMER PROTECTION POLICY

ANALYTICAL AND NEWS CONTENT IS COMPILED AND PROVIDED BY EXPERTS IN THE FIELD OF DIGITAL FINANCE AND BLOCKCHAIN ​​BELONGING TO HCCVENTURE ORGANIZATION, INCLUDING OWNERSHIP OF THE CONTENT.

RESPONSIBLE FOR MANAGING ALL CONTENT AND ANALYSIS: HCCVENTURE FOUNDER - TRUONG MINH HUY

Read warnings about scams and phishing emails — REPORT A PROBLEM WITH OUR SITE.