Blockchain investigator ZachXBT has discovered a complicated scheme where a group of six North Korean IT operatives used at least 31 false identities to obtain remote jobs as blockchain developers and steal digital assets.
The discovery began when an unnamed source accessed one of the operatives’ computers.
On the computer, they found various screenshots, Google Drive exports, and Chrome profiles that explained the methods used.
During the investigation, ZachXBT found that the group was responsible for the exploit from the fan-token marketplace Favrr, which happened in June 2025.
The wallet known as “0x78e1a,” is directly linked to funds stolen in the exploit.
How the Operation Worked
Investigators gained access to compromised devices showing how the group acquired government-issued identifications, phone numbers, and purchased LinkedIn and Upwork accounts to establish their false identities.
The group used the profiles to apply for blockchain development roles and had listed prior experience at well-known blockchain companies such as Polygon Labs, OpenSea, and Chainlink.
Further, an interview script on the device shows the operatives rehearsing answers to provide credibility to their potential employers.
Once operatives were hired, they gained access to sensitive systems relating to their job, and thus used their access to steal crypto assets or do further reconnaissance.
Tools and Tactics for Concealment
The North Korean group carefully organized its operations using Google tools with spreadsheets for budgets and schedules. They also use Google Translate to navigate the Korean–English language barrier.
A spreadsheet showed how they reliably rented computers and paid for VPN access so they could keep their online identities “fresh.”
They used remote access applications, like AnyDesk, to maintain access to the client systems while at a distance, without revealing their actual location.
VPN logs indicated multiple regions to mask their North Korean origin. Searches found on the device indicated a preoccupation with researching token deployment across blockchains.
The research involved exploring European AI developers and laying out new crypto-related targets.
Also Read: North Korean Operatives Impersonated US Citizens To Steal Crypto From American Companies: DOJ
Broader Pattern of DPRK Cyber Infiltration
ZachXBT’s discoveries corroborate previous cybersecurity reports that warned of North Korean IT workers manipulating remote contracts from the legitimate companies they end up infiltrating.
In these instances, they typically portray themselves as freelance developers. When posing as developers, it allows them access to repositories of code, backend infrastructure, and crypto wallets.
The documents supplemented from the hacked device also included extensive notes for “interview preparation”. The idea was to keep these notes nearby during video calls with potential employers, indicating that the interviews were being premeditated.
The method has become a major player in North Korea’s hacking tactics, being able to tap into some very valuable technical and financial “resources” without hacking directly up front.
Also Read: Circle Faces Scrutiny As North Korea’s USDC Activity Remains Unchecked
Growing Crackdown on North Korean IT-Driven Crypto Crime
The various incidents come amid an intensified global crackdown on North Korean cybercrime. UnoCrypto has reported a good number of trailing cases.
On July 4, Microsoft disrupted 3,000 Outlook and Hotmail accounts associated with DPRK IT worker fraud schemes, advising that these workers had started using artificial intelligence in their attacks.
Just days later, on July 9, the United States imposed sanctions against North Korean IT workers and Russian businessman Gayk Asatryan for breaching U.S. crypto firms to steal and launder money towards North Korea’s weapons programs.
These sanctions, along with private sector actions by Microsoft and cybersecurity companies, are part of the growing effort to identify and disrupt the networks that facilitate the growing crypto thefts by Pyongyang.