The investigation stems from data captured on a compromised device belonging to a suspected DPRK operative. The device had been infected with infostealer malware, which exposed an internal payment platform called luckyguys[.]site. The leaked data contained 390 user accounts, chat logs, fabricated identity documents, and detailed transaction records. At least 33 workers were found communicating via IPMsg, a local area network messaging application typically used inside office environments.

---

Inside the Network

Workers routed funds from cryptocurrency exchanges into personal wallets, then converted proceeds to fiat through Chinese bank accounts and the payment platform Payoneer. At least one Ethereum address and one Tron address tied to the network were frozen by Tether in December 2025.

Three entities already listed on OFAC's Specially Designated Nationals list, Sobaeksu, Saenal, and Songkwang, appeared directly in the breached data.

Workers used Astrill VPN to conceal their locations and applied for legitimate-looking tech roles on hiring platforms including Indeed, sometimes targeting positions as WordPress developers at roughly $30 per hour. One alias, "Jerry," applied for software engineering roles while also discussing the theft of assets from Arcano, a game built on GalaChain. Another alias, "Rascal," submitted fabricated billing statements listing fake Hong Kong addresses alongside photographs of an Irish passport.

An administrative account labeled "PC-1234" distributed 43 training modules to workers between November 2025 and February 2026. The materials focused on reverse engineering tools including Hex-Rays and IDA Pro, as well as malware analysis and decompilation techniques for analyzing binary code.

The network also maintained a performance leaderboard tracking individual crypto earnings starting December 8, 2025.

ZachXBT noted that the operators on this platform showed weaker tradecraft compared to elite DPRK units like AppleJeus and TraderTraitor. One illustration of that gap: the server's default password was "123456," and ten users never changed it.

---

DeFi Projects Caught Hiring DPRK Workers

The disclosures extend beyond the payment network. ZachXBT separately identified a DPRK operative who worked inside Solana-based DeFi project ElementalDeFi for multiple years under the alias Keisuke Watanabe. The individual also used GitHub handles including kasky53, keisukew53, kdevdivvy, and 0xWoo. ZachXBT's public disclosure on X included the worker's full name, email address, associated wallet addresses on Solana and Ethereum, and supporting OSINT documentation.

On April 7, 2026, Solana-based decentralized exchange Stabble took the unusual step of publicly directing all liquidity providers to withdraw their funds after it identified a suspected former DPRK-linked employee. Liquidity providers in DeFi are users who deposit token pairs into a protocol's trading pools in exchange for a share of transaction fees. Stabble's disclosure stands out because projects rarely make such disclosures publicly.

---

Regional Exposure: South Asia and Africa Face Downstream Risk

This network's financial plumbing overlaps heavily with infrastructure used by legitimate freelancers across South Asia and Africa.

Payoneer is one of the most widely used payout channels for developers in India, Pakistan, and Bangladesh. Its confirmed use in DPRK money flows may draw regulatory scrutiny to transactions moving through those corridors, creating friction for non-malicious workers. The pattern of fake applications through mainstream job platforms at standard market rates also makes DPRK-linked candidates difficult to distinguish from genuine South Asian applicants, which could lead Web3 projects to apply blanket additional screening to the region.

In Africa, the risk is more direct. Researchers at Flashpoint and CSIS have documented DPRK IT worker infrastructure operating inside Nigeria and Tanzania, and Equatorial Guinea has also appeared in the documented geographic footprint of this network. The network's use of Tron-based USDT maps onto P2P crypto-to-fiat patterns common across the region, including markets like Kenya where TRC-20 stablecoins are standard tools for remittance and informal commerce. DPRK operatives have also been documented recruiting third-party collaborators on platforms like Upwork, meaning developers in Nigeria, Tanzania, South Africa, or other markets could unknowingly serve as payment intermediaries.

---

Broader Context

This case is part of a documented escalation. North Korean-linked actors stole $2.02 billion in crypto during 2025 alone, a 51 percent increase year over year, bringing the estimated total since 2016 to roughly $6.75 billion. The broader DPRK IT worker program is estimated by OFAC, Flashpoint, and a 2025 United Nations report to generate between $350 million and $800 million per year, providing a sustained revenue stream that funds state priorities including weapons development.

In February 2025, the Lazarus Group, a North Korean state-sponsored hacking collective, was attributed by the FBI with stealing $1.5 billion in Ethereum from exchange Bybit.

Earlier this month, Solana-based protocol Drift linked a more than $280 million exploit to a six-month social engineering campaign by suspected DPRK actors, a finding corroborated by blockchain analytics firm Elliptic.

On March 12, 2026, OFAC sanctioned six individuals and two entities connected to IT worker fraud schemes and designated 21 cryptocurrency addresses across multiple blockchains. The action followed a 2024 haul from these schemes estimated at nearly $800 million, a figure that underscores the scale regulators are attempting to address.

The practical guidance emerging from this body of research points toward a single precaution: crypto projects should cross-reference all contributor wallet addresses against OFAC lists and blockchain monitoring tools before processing any payments, rather than relying on reactive blacklisting after funds have already moved.