TLDR
- ZachXBT exposed 5 North Korean IT workers creating 30+ fake identities to infiltrate crypto projects
- An unnamed source compromised a DPRK worker’s device, revealing extensive documentation of their operation
- The team purchased SSNs, professional accounts, VPNs, and other tools to appear legitimate
- One wallet linked to these workers was connected to the recent $680,000 Favrr exploit
- Multiple crypto projects discovered their developers were actually North Korean operatives using false credentials
A team of North Korean IT workers has been exposed for creating dozens of fake identities to infiltrate cryptocurrency projects, according to an investigation by blockchain sleuth ZachXBT. The findings, published on August 13, 2025, reveal how these operatives managed to secure positions as developers while hiding their true origins.
The investigation began when an anonymous source successfully compromised a North Korean IT worker’s device. This breach provided rare insight into the inner workings of this operation, including Google Drive exports, Chrome browser profiles, and device screenshots.
1/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects. pic.twitter.com/DEMv0GNM79
— ZachXBT (@zachxbt) August 13, 2025
Documents obtained from the breach showed that a team of five North Korean IT workers had created more than 30 fake identities. These identities were backed by purchased government-issued ID cards and professional accounts on platforms like LinkedIn and Upwork.
The operatives maintained detailed expense spreadsheets documenting their purchases. These included Social Security numbers, phone numbers, artificial intelligence subscriptions, computer rental services, and VPN networks.
All communications were conducted in English, though browser history revealed extensive use of Google Translate with Korean language translations. The IP addresses used in these translations originated from Russia, further confirming the North Korean connection.
Sophisticated Deception Techniques
The team used remote access software like AnyDesk to connect through VPN services. This allowed them to appear as if they were working from the locations they claimed to their employers.
ZachXBT uncovered scripts prepared for maintaining fake identities during interviews. One such script was for a persona named “Henry Zhang.” The investigation also revealed that one team member had interviewed for a full-stack engineer position at Polygon Labs.
5/ Here is a spreadsheet that shows the meeting schedules for jobs and a script used for the fake identity ‘Henry Zhang’ pic.twitter.com/9Sjtvlalga
— ZachXBT (@zachxbt) August 13, 2025
Other documents showed fake claims of experience at major crypto companies. These included claims of working at NFT marketplace OpenSea and blockchain oracle provider Chainlink.
Telegram conversations between team members revealed discussions about successful job placements and payment arrangements. They shared ERC-20 wallet addresses designated for receiving salary payments.
Link to Major Crypto Hack
The investigation took a turn when ZachXBT traced one frequently used ERC-20 wallet address (0x78e1) back to the recent $680,000 Favrr exploit. This hack occurred in June 2025 and involved the project’s chief technology officer.
Further investigation revealed that the CTO and additional developers at Favrr were actually North Korean operatives using fraudulent credentials. This discovery prompted several other cryptocurrency projects to conduct internal reviews.
8/ The 0x78e1 address is closely tied onchain to the recent $680K Favrr exploit from June 2025 where their CTO and other devs turned out to be DPRK ITWs with fraudulent documents.
Additional DPRK ITWs were identified at projects from the 0x78e1 address. https://t.co/BPZmFo8n5d pic.twitter.com/DcQnvNetxY
— ZachXBT (@zachxbt) August 13, 2025
These reviews uncovered more instances of North Korean operatives holding key development positions using false identities. The discovery highlights major security vulnerabilities within crypto projects’ hiring processes.
For payments, the North Korean workers often used Payoneer to convert fiat currency into cryptocurrency. Their expenses for May 2025 alone totaled $1,489.80 to maintain their operation.
Industry Response and Previous Incidents
The cryptocurrency community has shown mixed reactions to these revelations. Many point to hiring negligence among teams that become defensive when alerted to potential security threats.
Some exchanges have successfully identified these threats. Cryptocurrency exchange Kraken identified a potential North Korean threat actor posing as a job candidate in May.
However, others have fallen victim to similar schemes. In January, these technically skilled scammers allegedly stole $2.2 million in cryptocurrency from New York residents. They used text messages claiming to offer remote job assistance.
More recently, in June, U.S. authorities seized over $7.7 million in cryptocurrency earned through a covert network of North Korean IT workers. These individuals posed as foreign freelancers while channeling income back to the North Korean government.
Last month, the US Treasury took direct action by sanctioning two people and four entities involved in a North Korea-run IT worker ring infiltrating crypto firms.
ZachXBT has called on crypto and tech firms to perform more thorough due diligence on potential hires. He noted that many of these operations aren’t highly sophisticated, but the volume of applications often leads to hiring teams becoming careless.
The breach provides rare insight into North Korean crypto operations, which have been linked to major hacks including the $1.4 billion exploit of crypto exchange Bitbit in February.
The post North Korean IT Workers Created 30+ Fake Identities to Target Crypto Projects appeared first on Blockonomi.
Source: https://blockonomi.com/north-korean-it-workers-created-30-fake-identities-to-target-crypto-projects/