North Korean IT Workers Siphon $16.58 Million From Crypto Firms

On-chain investigator ZachXBT has uncovered a significant infiltration scheme by North Korean IT workers into cryptocurrency and technology companies. The investigation revealed that North Korean developers have siphoned $16.58 million through fake employment schemes since January 1, 2025. The payments, averaging $2.76 million per month, were made through cryptocurrency transactions, with individual payments ranging from $3,000 to $8,000 per month per worker. This indicates that between 345 and 920 jobs were compromised.

ZachXBT's findings trace the payments to multiple operational clusters across various projects. One cluster alone involved eight different North Korean developers who obtained roles at more than 12 projects. Payment addresses from this cluster were linked to two consolidation addresses used for fund collection and distribution. Sandy Nguyen, identified as a North Korean IT worker from this cluster, was spotted at an event in Russia next to a North Korea flag, providing further evidence of the infiltration.

The investigation highlights that traditional technology companies face equally severe infiltration problems. However, crypto payments create on-chain traceability, allowing investigators to trace fund flows back to hiring companies. The systematic exploitation of remote work opportunities across multiple industries suggests organized coordination among North Korean IT workers targeting Western technology companies.

ZachXBT identified several red flags that teams discovered after hiring North Korean IT workers. These included workers refusing in-person meetings, using IP addresses from different countries than their purported locations, and changes in GitHub handles and LinkedIn accounts. Payment streams to several IT employees were directed to one cryptocurrency address, indicating coordinated financial activity behind ostensibly independent contractors.

USDC payments were transferred directly from Circle accounts to three addresses within the observed cluster. Funds moved only a single hop from an April 2023 Tether-blacklisted address belonging to Hyon Sop Sim. Other DPRK IT worker clusters currently have substantial USDC balances in multiple addresses. The workers typically execute several functions simultaneously and tend to be fired for poor performance, leading to high turnover. Once they have discovered how to penetrate teams and claim ownership of contracts, projects are vulnerable to security attacks and potential exploits against protocol infrastructure.

ZachXBT also observed that North Korean IT workers now have more U.S. exchange accounts, disproving the presumption that domestic exchanges have more stringent KYC/AML conditions than external ones. MEXC is still extensively utilized by IT personnel in money laundering on-chain through a chain of cryptocurrency trades. Binance usage by IT personnel has dropped drastically from previous years due to improved detection schemes and collaboration between private institutions and government agencies leading to asset forfeiture. The arrival of neobanks and fintech platforms that support stablecoin integrations has made it easy for DPRK IT personnel to convert fiat into cryptocurrency.

Cryptocurrency projects do not possess the largest number of North Korean IT personnel, with more conventional tech companies possessing equally serious or even more serious intrusion issues. Crypto payments leave on-chain traceability that enables investigators to track money back to the recruiting firms, but fiat payments in regular firms do not have this visibility. North Korean-associated hacking groups such as Lazarus Group stole about $2.1 billion in cryptocurrency during the first half of 2025. The largest impact case was the February 2025 $1.5 billion Bybit cryptocurrency exchange heist, where $1.6 billion of the total crypto heists were performed by North Korea-linked attackers.

The author believes the groups employing many DPRK IT staff always indicate startup failure due to the absence of threat sophistication and lack of recruitment attention. The systematic infiltration and exploitation of remote work opportunities highlight the need for enhanced security measures and vigilance in the technology and cryptocurrency sectors. The on-chain traceability of crypto payments provides a valuable tool for investigators to track and expose such schemes, but traditional companies must also implement stricter verification processes to prevent similar infiltrations.