North Korean hacker "detonates" malware on own PC, exposing $1M-a-month IT worker scam

A North Korean nation-state actor accidentally exposes the inner workings of a $1 million-a-month IT worker scheme – all by detonating malware on their own computer.

It's not clear exactly how the infostealer malware got deployed on the hacker’s computer, but the exfiltrated data appears to have blown open the DPRK-linked operation, exposing hundreds of accounts, internal chats, browser history, fake identities, and millions of dollars in crypto payment records.

Independent internet sleuth ZachXBT – known for blowing the lid off several major hacking cases via his OSINT investigations – said he first became aware of the strange scenario after being sent a copy of the leaked data earlier this week.

“Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions,” ZachXBT posted in a series of messages on X.

After spending hours sifting through the never-before-seen data, the self-proclaimed 2D investigator said he discovered intricate details of a $1 million-per-month hacker scheme, complete with “fraudulent identities, forged legal documents, and crypto-to-fiat conversion.”

Password “123456” helped blow it open

In one of the more absurd details, ZachXBT said the workers coordinated payments on a site called "luckyguys[.]site" – using the shared password “123456” – unbelievably sloppy security for an operation he said was pulling in roughly seven figures a month.

What’s more, the “123456” password was being shared among 10 users, exposing “roles, Korean names, cities, and coded group names consistent with DPRK IT worker operations,” he said.

ZachXBT described the WebMsg platform hosted on the "luckyguys" site as basically “a Discord-style messenger used by DPRK IT workers to report payments back to their handlers.“

And although the internet sleuth said that the infrastructure for this particular IT worker scam shows a “less sophisticated” DPRK cluster compared to other more prominent groups like AppleJeus and TraderTraitor, some of the more interesting finds include:

• WebMsg users "Rascal" and their DMs with PC-1234 detailing payment transfers and the use of fraudulent identities from December 2025 through April 2026.
• All payments were processed and confirmed through the server admin account: PC-1234.
• Addresses in Hong Kong used for bills and goods (needs further verification).
• Records showing $3.5M+ in funds received by one payment wallet address since late November 2025.
• Three OFAC-sanctioned companies – Sobaeksu, Saenal, and Songkwang – were tied to the operation.
• Emails showing over a dozen fake personas applying for jobs through Indeed.
• 33 separate DPRK IT workers communicating on the network and Astrill VPN use.

One coder on X commented that in 2023, they had been duped by one of these fake IT workers and “accidentally hired a North Korean developer,” not finding out about the fraudster until a year later.

“Not even joking when I say he worked harder than any other developer I’ve ever hired. Truly 24/7 and consistent. To this day, I’m convinced it was either super intense discipline or it was just three guys rotating shifts,” a commonly known tactic used by DPRK hackers.

Fake workers, real money

Often weaseling their way into cushy jobs at Fortune 100 tech companies, North Korean IT workers commonly operate out of laptop farms, rotating shifts so they can work for multiple companies at once, without their employers ever knowing.

The hundreds of thousands of paychecks, like the cluster group exposed here, are converted to crypto – often through Chinese banks – and funneled back to the North Korean government for national weapons programs, including weapons of mass destruction (WMD).

Besides cashing in paychecks, the fake workers are also known to use their internal access to steal trade secrets and sensitive data from employers, even holding that data for ransom to make a quick buck.

Last year, the FBI busted a fake IT worker laptop farm in North Carolina, arresting five suspects who were said to have used fraudulent IDs, pseudonymous emails, fake social media accounts, payment platforms, online job site accounts, and false websites.

Running from 2018 through 2024, the scam garnered “at least $866,255 in revenue from 10 different US companies,” the US Department of Justice said.

How payments were processed

ZachXBT said with the information given, he was able to create a complete map of the criminal network’s organizational structure, including payment totals per user and group. Password to get into the infrastructure map: "123456", of course.

Besides uncovering the known DPRK IT worker playbook, it appears the payments lifecycle for the handlers was also consistent across the board, ZachXBT said.

The process observed here begins with the scammer transferring crypto to the payments handler known as PC-1234.

ZachXBT said those payments originated from various sources, such as a crypto exchange or service, or a crypto-to-fiat transfer through a Chinese bank account using an international payments platform, such as Payoneer.

One sign investigators were already tracking the DPRK cluster's payment activity, a Tron address tied to the network was frozen by Tether in December 2025, ZachXBT noted.

Once PC-1234 confirms receipt of the funds, they provide the user with account credentials, which, depending on the scammer, could be either a crypto exchange or another fintech payment platform.

Commenting about the hacker faux pas, malware repository vx-underground noted on X that “this is the 2nd time a North Korean state-sponsored Threat Actor unveiled their infrastructure and operations by accidentally detonating malware on their computers.”

“Dawg, who the fuck is running this shit?” they comically asked.

Since his reveal, ZachXBT said the internal site went dark on April 9th, but he had already archived all the data and plans to continue examining it.

---

Unlock more exclusive Cybernews content on YouTube.