ZachXBT Reveals Five North Korean Individuals Operating Over 30 False Identities to Attack Cryptocurrency Initiatives

Prominent blockchain investigator ZachXBT has uncovered a sophisticated operation involving five North Korean IT personnel who established over 30 fraudulent identities.

These individuals utilized government-issued identification and acquired professional accounts on Upwork and LinkedIn to secure positions with cryptocurrency projects as developers.

Anonymous Source Breaches Devices of North Korean IT Workers to Uncover Operation Insights

As per on-chain intelligence released on August 13, an anonymous informant successfully infiltrated a device belonging to a Democratic People’s Republic of Korea (DPRK) IT worker, shedding light on how this five-member team carried out their employment fraud scheme.

The compromised information included exports from Google Drive, profiles from the Chrome browser, and screenshots from the device.

3/ Another spreadsheet reveals weekly reports for team members from 2025, offering insights into their operations and thought processes.
“I can’t understand job requirement, and don’t know what I need to do”
“Solution / fix: Put enough efforts in heart” pic.twitter.com/rYkDC3jESf

— ZachXBT (@zachxbt) August 13, 2025

All communications were conducted in English. Financial documents obtained from the breach illustrate the systematic methods employed by the technology job syndicate to acquire the necessary tools for their deception.

Their expense report outlines purchases of Social Security numbers, professional accounts (LinkedIn and Upwork), phone numbers, artificial intelligence subscriptions, computer rental services, and VPN/proxy networks.

These were all intended to fulfill blockchain industry employment criteria and enable access to internal systems and codebases.

ZachXBT’s investigation uncovered documentation detailing meeting schedules for targeted cryptocurrency projects, along with comprehensive scripts for maintaining the fraudulent identity “Henry Zhang.”

The operatives employed AnyDesk software to access convenient VPN services, allowing them to appear as if they were situated in regions they falsely claimed as their residence to employers.

The leaked materials included Telegram discussions where team members talked about successful job placements and payment arrangements. In these conversations, they exchanged ERC-20 wallet addresses designated for salary deposits.

The investigation took a significant turn when ZachXBT traced one frequently used ERC-20 wallet address (0x78e1) back to the recent $680,000 Favrr exploit that occurred in June 2025.

This incident involved the project’s chief technology officer and additional developers who were later identified as DPRK IT workers operating with fraudulent credentials.

8/ The 0x78e1 address is closely tied onchain to the recent $680K Favrr exploit from June 2025 where their CTO and other devs turned out to be DPRK ITWs with fraudulent documents.
Additional DPRK ITWs were identified at projects from the 0x78e1 address. https://t.co/BPZmFo8n5d pic.twitter.com/DcQnvNetxY

— ZachXBT (@zachxbt) August 13, 2025

This discovery led several cryptocurrency projects to initiate internal investigations, revealing that some of their development teams and decision-makers were North Korean operatives using false identities.

Evidence Validates North Korean Workers’ Origin Despite Doubts

When community members raised questions regarding the operatives’ North Korean origins, ZachXBT referenced compelling evidence found within the leaked materials.

In addition to the fraudulent documentation, browser history data indicated extensive use of Google Translate for Korean language translations, all traced back to Russian IP addresses.

10/ Still one of the more common questions is “how do you know they are North Korean?”
Well besides all of the fraudulent documents detailed above their search history showed frequent Google Translate usage with translations to Korean with a Russian IP. pic.twitter.com/wtTgzaiNcy

— ZachXBT (@zachxbt) August 13, 2025

The cryptocurrency community’s response has been varied, with many highlighting hiring negligence among teams that become defensive when alerted to potential security risks.

Some community members underscored the complexity of the fake identity and account creation ecosystem, suggesting that numerous crypto projects may be unaware of who truly has access to their GitHub repositories and sensitive code.

“It’s an operational hazard for the industry,” explained Shaun Potts, founder of crypto-focused recruiting firm Plexus, who spoke to Cryptonews in a related situation in July.

“It’s an ongoing challenge, similar to how hacking persists in technology. While you cannot eliminate it entirely, you can minimize associated risks.”

The crypto industry has demonstrated varying degrees of success in identifying these threats.

For instance, cryptocurrency exchange Kraken successfully identified a potential North Korean threat actor posing as a job candidate in May.

However, others have fallen prey to these sophisticated operations.

In January, these technologically skilled scammers allegedly stole $2.2 million worth of cryptocurrency from New York residents through text message campaigns claiming to offer remote job assistance.

DPRK-linked perpetrators landed in remote IT jobs using fake and stolen identities and exploited their company’s trust to steal and launder over $900,000 in crypto.#DPRK #NorthKoreaCrypto #CryptoScamhttps://t.co/6UvXug5OZp

— Cryptonews.com (@cryptonews) July 1, 2025

The scheme involved requesting job-seekers to deposit Tether (USDT) and USD Coin (USDC) stablecoins into specified cryptocurrency accounts.

Similarly, in June, U.S. authorities confiscated over $7.7 million in cryptocurrency allegedly earned through a covert network of North Korean IT workers who posed as foreign freelancers while redirecting their income back to the North Korean government.

The post ZachXBT Exposes 5 North Korean Workers Running 30+ Fake Identities to Target Crypto Projects appeared first on Cryptonews.