ZachXBT reveals a $1M monthly crypto scam linked to North Korea using fake jobs, stolen data, and hidden payment networks.
A major crypto investigation has revealed a shocking global scam. According to blockchain investigator ZachXBT, a network associated with North Korea makes approximately $1,000,000 each month. The group is said to have utilized fake jobs and crypto payments. Consequently, security issues in the crypto space are on the increase.
ZachXBT Uncovers Hidden Crypto Payment Network
The results were based on internal data leaked according to the information provided on X. A payment server was accessed via an unnamed source. This server was connected to 390 accounts. Thus, the size of the operation seems to be big.
1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.
I spent long hours going through all of it, none of which has ever been publicly released.
It revealed an intricate… pic.twitter.com/aTybOrwMHq
— ZachXBT (@zachxbt) April 8, 2026
In addition, the stolen information contained chat history, wallet history, and identity history. These records were not previously publicized. ZachXBT had taken hours to study this information. As a result, he uncovered a complex system of fraud and payments.
Related Reading: Crypto In Spotlight As OFAC Targets North Korean IT Workers | Live Bitcoin News
Moreover, the network employed counterfeit identities and counterfeited documents. Workers posed as skilled developers to get jobs. In some cases, they even resorted to deepfake to pass interviews. Thus, businesses struggled to identify the fraud at an early stage.
Moreover, coordination was done via a private site. It was similar to a reporting payment messaging app. Updates were sent to a central handler by workers. This demonstrates a well-planned backdrop to the operation.
At the same time, security issues were also discovered. There were also accounts with a default password such as 123456. Due to this, hackers would be able to access valuable information. This error aided in exposing the whole network.
Fraud Scheme Uses Crypto and Global Banking Channels
The probe revealed the flow of money in the system. The payments were typically made in cryptocurrency initially. The money was later changed into traditional money. They were then transferred to Chinese bank accounts.
In addition, services such as Payoneer were employed in certain instances. This facilitated the transfer of money across borders. Thus, it made it harder to monitor such transactions by authorities.
Overall, over $3,500,000 was collected since November 2025. Every transaction was of the same kind. Originally, crypto was exchanged through exchanges or services. Then, it was converted and transferred to other accounts.
Moreover, ZachXBT associated the money with legitimate businesses. These are Sobaeksu, Saenal, and Songgwang. These companies are already restricted by the U.S. government.
Nevertheless, analysts believe that this group is not as developed as leading hacking teams. As an example, groups such as Lazarus Group are more competent. Still, this network remains dangerous due to its persistence.
In the meantime, this kind of insider access poses grave threats. Employees are able to access systems and insert malicious code. This has resulted in significant hacks in the past. An example of this is a Drift Protocol exploit that was exploited in April 2026, costing 280,000,000.
To sum up, this study indicates the increasing threats in crypto and remote work. Although the scheme is not complex, its effects are significant. Thus, businesses need to enhance security inspections. Greater regulations and sensitization can be used to curb such scams in the future.
