A sophisticated cyber operation is quietly infiltrating remote tech jobs worldwide.
Blockchain investigator ZachXBT uncovered a major leak from a DPRK IT worker’s device showing a small team of five managing 30+ fake identities, with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects. They also claimed experience at top blockchain companies like Polygon Labs, OpenSea, and Chainlink.
Inside the DPRK Remote Job Operation
The spreadsheets reveal how DPRK IT workers operated, including weekly reports, expense tracking, and meeting schedules, and include a script used for the fake identity “Henry Zhang.” Their expenses show purchases of SSNs, Upwork and LinkedIn accounts, phone numbers, AI tools, rented computers, and VPNs or proxies.
Leaked Google Drive files, Chrome profiles, and device screenshots revealed that they managed schedules, tasks, and budgets mostly in English. Telegram chats show how they coordinated to land jobs, handle payments, and route salaries through crypto wallets.
One of the key signs pointing to North Korea was their use of Google Translate into Korean during searches, sometimes routed through Russian IP addresses.
Wallet Linked to $680K Favrr Exploit
Notably, one wallet was linked to multiple payments and the $680K Favrr exploit in June 2025, where DPRK ITWs acted as CTO and developers using fraudulent documents. Additional operatives were connected to other projects through this same wallet address.
DPRK IT Workers Flood Remote Jobs
ZachXBT points out that the biggest challenge in stopping DPRK IT workers is poor coordination between companies and security services, along with recruitment teams who often ignore or resist warnings.
These IT workers are not especially sophisticated, but they are persistent, flooding the global job market for remote developer roles and commonly use Payoneer to convert regular payments into crypto.
North Korea’s Crypto Crime Network
North Korea’s cyber theft operations are massive and growing. In January, operatives stole $2.2M, and in June, authorities seized over $7.7M linked to fake remote job schemes.
North Korean hackers are tricking people with fake IT job offers to access cloud systems and steal crypto. Since 2020, these campaigns have targeted major crypto platforms, contributing to massive thefts such as Axie Infinity’s $620M breach, DMM Bitcoin’s $305M hack, and Bybit’s $1.5B heist.
Experts estimate that North Korea has stolen $1.6B in crypto so far in 2025, accounting for 35% of all stolen crypto last year, and they are showing no signs of slowing down.
Earn more PRC tokens by sharing this post. Copy and paste the URL below and share to friends, when they click and visit Parrot Coin website you earn: https://parrotcoin.net0
PRC Comment Policy
Your comments MUST BE constructive with vivid and clear suggestion relating to the post.
Your comments MUST NOT be less than 5 words.
Do NOT in any way copy/duplicate or transmit another members comment and paste to earn. Members who indulge themselves copying and duplicating comments, their earnings would be wiped out totally as a warning and Account deactivated if the user continue the act.
Parrot Coin does not pay for exclamatory comments Such as hahaha, nice one, wow, congrats, lmao, lol, etc are strictly forbidden and disallowed. Kindly adhere to this rule.
Constructive REPLY to comments is allowed