ZachXBT, a blockchain investigator, has discovered evidence of a sophisticated network of North Korean developers who earn as much as $500,000 per month by working for “established” crypto projects.
In an Aug. 15 post on X, ZachXBT informed his over 618K followers that he believes a “single entity in Asia,” likely operating out of North Korea, is receiving $300,000 to $500,000 per month and employing at least 21 workers to contribute to over 25 crypto projects.
ZachXBT tweets “Recently, a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed. Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities. I then uncovered 25+ crypto projects with related devs that have been active since June 2024.”
ZachXBT claims that the most recent $1.3 million stolen by DPRK staff was laundered through a series of transactions, which include transferring to a theft address and culminating in 16.5 Ether being sent to two separate crypto exchanges.
ZachXBT adds, “Using multiple payment addresses for 21 devs I was able to map out a cluster with the most recent batch of payments for ~$375K over the last month.”
ZachXBT is onto North Korean crypto developers
Following a more thorough investigation, ZachXBT believes that these developers are only one part of a much more extensive network. He uncovered a cluster of developers who had received “$375,000 over the last month” and had previously transacted a total of $5.5 million.
This money was transferred to an exchange deposit address between July 2023 and some point in 2024. He was able to track multiple payment addresses. ZachXBT adds “Prior to this, $5.5M flowed into an exchange deposit address with payments DPRK IT workers were receiving from July 2023 – 2024 and connections to Sim Hyon Sop, who is OFAC sanctioned. “
US law enforcement suspects that Kim is “involved in the payment of salaries to family members of Chinyong’s overseas DPRK worker delegations” and has received $2 million in crypto for the sale of IT equipment to DPRK-affiliated teams in China and Russia.
Additionally, he discovered instances of Russian Telecom IP overlaps among developers who claimed to be located in Malaysia and the United States. “At least one of the employees “accidentally leaked their other identities on a notepad.”
At the end he points out, “A number of experienced teams have hired these devs so it’s not fair to them single as the ones to blame.”
