ZachXBT exposes North Korean IT workers operating 30 fake identities across development platforms

Aug 13, 2025 - 19:20
 0  0
ZachXBT exposes North Korean IT workers operating 30 fake identities across development platforms

Blockchain investigator ZachXBT exposed a sophisticated North Korean IT worker operation that infiltrates Western technology companies through remote development positions.

In an Aug. 13 report, the investigator highlighted that an unnamed source compromised a device belonging to one of five DPRK IT workers, providing unprecedented access to their operational methods. 

The team systematically purchased fake social security numbers, Upwork and LinkedIn accounts, phone numbers, and computer rentals to secure developer jobs at various projects.

Google Drive exports and Chrome browser profiles revealed that the workers extensively used Google products to organize team schedules, tasks, and budgets while communicating primarily in English. 

Weekly reports from 2025 revealed that team members were struggling with job requirements, with one noting, “I can’t understand job requirement, and don’t know what I need to do,” alongside the directive to “put enough efforts in heart.”

Operational methods and technology stack

The DPRK workers followed a consistent pattern of purchasing Upwork and LinkedIn accounts, buying or renting computers, then using AnyDesk remote access software to conduct work for their employers. 

Expense spreadsheets documented purchases of artificial intelligence subscriptions, VPNs, proxies, and other tools needed to maintain their fake identities.

Meeting schedules and scripts were maintained for each fake identity, including detailed personas like “Henry Zhang” with complete backstories and work histories. 

The workers used a wallet address to send and receive payments, to which ZachXBT linked multiple fraudulent operations.

The wallet address tied the team to the $680,000 Favrr exploit from June 2025, where the company’s CTO and other developers were revealed as DPRK IT workers using fraudulent documents. 

ZachXBT identified the Favrr CTO “Alex Hong” as having a suspicious background with recently deleted LinkedIn profiles and unverifiable work history.

Unsophisticated but persistent

Browser history from the compromised devices showed frequent Google Translate usage with Korean translations while operating from Russian IP addresses. 

The evidence confirmed the workers’ North Korean origins despite their sophisticated English communications and Western personas.

ZachXBT noted the main challenge in combating DPRK IT workers stems from a lack of collaboration between services and the private sector, combined with negligence by hiring teams who become defensive when alerted about potential infiltration.

The workers convert earnings from development work into cryptocurrency through Payoneer, with the investigator noting they are “in no way sophisticated but are persistent since there are so many flooding the job market globally for roles.”

The exposure reveals the scale of North Korean infiltration into Western technology companies, with the compromised operation representing just one team among potentially hundreds operating similar schemes across remote development platforms.

The post ZachXBT exposes North Korean IT workers operating 30 fake identities across development platforms appeared first on CryptoSlate.

What's Your Reaction?

Like Like 0
Dislike Dislike 0
Love Love 0
Funny Funny 0
Angry Angry 0
Sad Sad 0
Wow Wow 0
maskad I am a **software developer** specializing in **PHP and JavaScript**, with a strong focus on **web development, automation, and eCommerce solutions**. My expertise lies in building **scalable, efficient, and interactive applications**, integrating advanced technologies to enhance user experience. I have developed **online banking platforms, courier tracking systems, invoice generators, Chrome extensions, and AI-powered product listing automation**. My work involves **web scraping, email handling, SMS notifications, and AI-driven chatbots**, ensuring seamless automation and intelligent interactions. I prefer using **PHP and JavaScript for automation and scraping tasks** in live environments but leverage **Python** for local tasks due to its flexibility and fewer restrictions. I have successfully integrated **third-party payment gateways** like **PayPal, Paystack, and NOWPayments**, as well as AI services like **OpenAI's API**. Beyond development, I also run **Allshop.ng**, an **eCommerce platform**, further expanding my expertise in online business solutions. My projects emphasize **security, responsiveness, and user-friendly interfaces**, ensuring a smooth and engaging experience for all users. Would you like a version tailored for a portfolio, resume, or professional bio? 🚀