ZachXBT Exposes North Korean IT Threat to US Crypto Firms

• Over $16.58 million has been funneled to North Korean IT workers so far in 2025
• These workers pose as freelancers to get jobs at hundreds of crypto and tech startups
• They bypass security checks and route crypto payments to sanctioned DPRK-linked addresses

A growing national security concern is unfolding quietly across the global tech and crypto industries. According to data from the on-chain sleuth ZachXBT, over $16.58 million has been funneled to North Korean IT workers since the start of 2025 alone, a figure that amounts to roughly $2.76 million per month. 

These developers pose as legitimate freelancers but are secretly tied to the DPRK regime. Using simple tactics and social engineering, they’ve breached technical teams, secured sensitive roles, and routed crypto payments into addresses linked to sanctioned actors.

What Are the Red Flags and Risk Patterns?

These IT workers typically earn between $3,000 and $8,000 per month, which suggests that anywhere from 345 to 920 jobs have been compromised this year alone. While that number is staggering, the patterns behind their employment reveal a concerning lack of diligence in the hiring and vetting processes at many companies.

Most teams fail to notice glaring indicators, such as workers who refuse to meet local team members despite claiming to live nearby, or those who use Russian IP addresses while claiming to be based in the U.S. In some cases, these workers even refer each other to new roles, creating internal clusters of compromised staff.

How Are They Bypassing Security Checks?

Many of these IT workers show clear signs of deceit. They frequently change their GitHub usernames, delete their LinkedIn profiles after securing a job, and often fail basic Know Your Customer (KYC) checks. Despite these red flags, crypto firms continue to unknowingly process payments to them, sometimes directly from regulated platforms like Circle.

Circle and Compliance Concerns

In one instance, USDC payments were traced to an address just one hop away from a Tether-blacklisted account tied to a known DPRK operative. What’s more alarming is the presence of U.S.-based exchange accounts held by these workers. 

Related: North Korea’s Crypto Scheme: IT Worker Disguise Funds Military

Despite the assumption that platforms like Coinbase and Robinhood enforce stricter KYC, many have been able to use these services without detection. Others still prefer exchanges like MEXC for laundering funds on-chain, having moved away from Binance due to improved oversight.

Why Are Startups at Such High Risk?

While crypto projects are often highlighted, traditional tech companies face just as much exposure to this threat. These workers often juggle multiple remote roles, perform poorly, and are frequently fired, but the damage can be done long before they are removed. 

Related: U.S. Senator Labels Crypto as a Threat, Links to North Korea’s Nuclear Funding

Once they are embedded in a project, especially in a smart contract development role, they pose a real threat to a project’s integrity and financial security. Ultimately, many teams have prioritized cost-cutting over security, hiring cheaper international talent without performing sufficient background checks. This has created an environment that is ripe for exploitation.