ZachXBT Exposes 5 North Korean Workers Using 30 Fake Identities to Infiltrate Crypto Projects

Generated by AI AgentCoin World
Wednesday, Aug 13, 2025 3:42 pm ET1min read
UPWK
--
ZRX
--
Aime RobotAime Summary

- ZachXBT uncovered a North Korean cyber operation using 30 fake identities on platforms like Upwork and LinkedIn to infiltrate crypto projects.

- Leaked data revealed systematic use of forged credentials, AI tools, and location-masking tech to access sensitive codebases and exploit vulnerabilities like the $680K Favrr breach.

- Industry audits exposed compromised teams while U.S. authorities seized $7.7M linked to North Korean operatives, highlighting risks in crypto hiring practices and cross-border cyber threats.

ZachXBT, a prominent blockchain investigator, has revealed an extensive fraud operation orchestrated by five North Korean IT workers who created over 30 fake identities to infiltrate cryptocurrency projects. The individuals used government-issued documentation and purchased professional profiles on platforms like

Upwork
and LinkedIn to pose as legitimate developers. An anonymous source compromised one of the workers’ devices, exposing internal communications, spreadsheets, and operational strategies [1].

The leaked data included Google Drive exports, Chrome browser profiles, and screenshots showing the team’s use of fabricated names and employment scripts. One of the identities, “Henry Zhang,” was maintained with detailed meeting schedules and access tools, including AnyDesk and VPN services to mimic locations claimed on job applications [1].

Financial records obtained from the breach revealed a systematic effort to acquire tools for their deception, including AI subscriptions, phone numbers, and virtual private networks. These resources were used to meet the technical demands of the blockchain industry and gain access to sensitive codebases and internal systems [1].

ZachXBT also traced a key ERC-20 wallet address (0x78e1) to the recent $680,000 Favrr exploit in June 2025. This address was linked to the project’s chief technology officer and other developers, who were later identified as North Korean operatives using fraudulent credentials. The investigation led to internal audits at several crypto projects, where it was discovered that development teams and decision-makers had been compromised [1].

Despite skepticism from some in the community, ZachXBT provided evidence confirming the operatives’ North Korean origins, including browser histories showing heavy use of Google Translate with Korean language input, traced to Russian IP addresses. The data suggested a sophisticated operation with cross-border coordination [1].

The exposure of this scheme has highlighted broader concerns about hiring practices in the crypto industry. Shaun Potts, founder of crypto recruiting firm

Plexus
, noted that the issue mirrors the ongoing challenge of cybersecurity in tech and that while complete elimination is impossible, risk minimization is achievable [1].

Kraken successfully identified a potential North Korean threat actor in May 2025, demonstrating the varying success rates across the industry in detecting such threats. In contrast, a January 2025 scheme reportedly defrauded New York residents of $2.2 million in stablecoins by posing as remote job opportunities. U.S. authorities also reported in June 2025 that they had seized over $7.7 million in cryptocurrency tied to a covert network of North Korean IT workers operating under false identities [1].

These incidents underscore the growing sophistication of North Korean cyber operations targeting the crypto industry. The use of fake identities, professional platforms, and internal access tools has enabled these operatives to bypass standard vetting processes and gain positions of trust in key projects.

Source:

[1] Cryptonews.com (https://cryptonews.com/news/zachxbt-exposes-5-north-korean-workers-running-30-fake-identities-to-target-crypto-projects/)

Comments



Add a public comment...
No comments

No comments yet