North Korean hackers are using “123456” passwords, making them easy targets for other hackers

Published: 9 April 2026
Last updated: 10 April 2026
north korean hacker, flag on screen, military hat, open laptop, blue screen, numbers
N. Korean hacker silhouette with North Korean flag. Bill Hinton/Getty.

Low-tier North Korean hacking groups have left themselves open to counterattacks by using weak passwords like "123456" to protect internal payment servers processing over $3.5 million.

Key takeaways:
  • North Korean hacking groups are using "123456" as the default password to protect payment servers handling over $3.5 million in crypto transactions.
  • A researcher gained access to an internal DPRK payment platform and mapped out 390 accounts, including three sanctioned companies.
  • The infiltrated system revealed a $1 million/month scheme involving fraudulent identities and crypto-to-fiat conversions.

According to blockchain sleuth ZachXBT, threat actors are leaving an opportunity on the table by not targeting low-tier DPRK groups.

ADVERTISEMENT

"The risk of repercussions is low, competition is minimal, and the targets are arguably deserving," he concluded after sharing his latest investigation, adding, "Imagine if the [government] started weaponizing social engineering scammers like Malone, CX, Trent, Dritan, Danish, etc., against low-tier DPRK groups."

This suggestion is inspired by another example of how so-called DPRK IT workers can be compromised themselves.

ZachXBT said that after reviewing data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, and crypto transactions received from an unnamed source, he found an intricate ~$1M/month scheme involving fraudulent identities, forged legal documents, and crypto-to-fiat conversions.

After a DPRK IT worker's device was compromised via infostealer and data was extracted and sent to the researcher, he was able to analyze luckyguys[.]site, which appeared to be an internal payment remittance platform used by North Koreans to report payments back to their handlers.

Per the investigation, since late November 2025, more than $3.5 million has been received across the payment wallet addresses.

"The site's default password was 123456, which remained unchanged for ten users," the researcher said, later using the same password for his website investigation.io, where he mapped out the organizational structure of DPRK IT workers, including payment totals per user and group.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us
ADVERTISEMENT

According to the investigation, the user list included roles, Korean names, cities, and coded group names consistent with DPRK IT worker operations. What's more, three sanctioned companies – Sobaeksu, Saenal, and Songkwang – also appeared on the list.

As reported by Cybernews last year, several servers belonging to North Korean hackers were inadvertently uncovered, exposing logs that helped identify over 230 individuals hacked by fake recruiters.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT