North Korean Hackers Use Fake Identities to Target Crypto Jobs

Generated by AI AgentCoin World
Wednesday, Aug 13, 2025 10:27 pm ET1min read
BTC
--
LINK
--
Aime RobotAime Summary

- ZachXBT counter-hacked a North Korean IT team, exposing their use of fake identities and Google tools to target crypto jobs and platforms.

- The six-member group fabricated 31 personas, including LinkedIn/Upwork profiles, to bypass hiring processes and launder $680,000 via Favrr in 2025.

- Leaked data revealed $1,489 monthly operational costs, Payoneer-linked transactions, and reliance on AnyDesk/VPNs for remote attacks.

- US Treasury sanctioned 6 entities/individuals linked to North Korean cybercrime, but decentralized crypto transactions persistently enable such activities.

- The incident highlights vulnerabilities in freelance platforms and underscores independent researchers' critical role in countering state-sponsored cyber threats.

A cybersecurity sleuth known as ZachXBT has shared a rare glimpse into the operations of a North Korean IT team, following a counter-hack of one of their devices [1]. The incident, tied to a $680,000 exploit on the fan-token platform Favrr in June 2025, reveals that the group has been using Google services, remote access software, and freelance platforms to carry out cyber operations. The team of six individuals has fabricated 31 identities, including government IDs, phone numbers, and LinkedIn and

Upwork
accounts, to obscure their true affiliations and secure crypto-related jobs [2].

The leaked data shows that these operatives used tools like AnyDesk and virtual private networks (VPNs) to conduct their work remotely. They primarily communicated in English and relied on Google's translation services to bypass language barriers. One of the identities was allegedly used to apply for a full-stack engineering role at Polygon Labs, while others claimed to have experience at companies like OpenSea and

Chainlink
[1]. Their interview responses appeared scripted, suggesting a focus on deception to gain employment in the crypto space.

Financial records obtained from the compromised device reveal that the group spent over $1,489 in May on operational costs, including tools and infrastructure to support their hacking activities. A Payoneer wallet address linked to the breach is described as “closely tied” to the Favrr exploit. This suggests the group is actively converting fiat to cryptocurrency to launder funds through digital assets [2].

The counter-hack highlights how North Korean operatives exploit weaknesses in hiring processes and freelance platforms. ZachXBT emphasized that many of these attacks are not technically complex, but the high volume of applications allows deceptive actors to slip through undetected. He also noted a lack of collaboration between tech companies and freelance platforms, which exacerbates the risk [1].

This incident comes amid broader concerns over North Korea’s digital threat landscape. The regime has a history of using cybercrime as a revenue source, with the Bitbit exchange being exploited for $1.4 billion in February 2025. The latest operation, while smaller in scale, demonstrates the continued evolution of North Korean cyber tactics in targeting decentralized platforms [1].

The US Treasury has already taken steps to combat the issue, having sanctioned two individuals and four entities linked to North Korean IT operations earlier this year. However, the decentralized and often anonymous nature of cryptocurrency transactions makes it difficult to fully disrupt such activities. The counter-hack by ZachXBT underscores the critical role that independent researchers and private actors now play in exposing and countering state-sponsored cybercrime [2].

Source:

[1] North Korean Fake IT Workers Get Counter-Hacked (https://cointelegraph.com/news/someone-counter-hacked-a-north-korean-it-worker-here-s-what-they-found)

[2]

BTCUSD
- Someone counter-hacked a North Korean IT worker (https://mx.advfn.com/bolsa-de-valores/COIN/BTCUSD/crypto-news/96631524/someone-counter-hacked-a-north-korean-it-worker-h)