North Korean Cryptocurrency Job Seekers Employed Under Multiple False Identities, According to ZachXBT

North Korean IT Workers Infiltrate Global Crypto Workforce

A group of North Korean hackers has infiltrated the global crypto workforce, using over 30 fake identities to secure IT roles at various crypto startups. These hackers, operating in small teams, create and control dozens of fake identities, including government IDs and professional profiles on platforms like Upwork and LinkedIn [1][5].

The hackers prefer IT positions because they grant access to internal systems and the ability to collaborate on workload while probing for weaknesses [1]. One common tactic involves the use of "laptop farms" operated by accomplices in the U.S. who receive company laptops physically shipped or sent locally, maintaining them online with U.S. IP addresses. The North Korean hackers then remotely control these devices from North Korea or nearby countries, masking their true location and making it appear the worker is local [3].

For coordination and communication, the hackers utilize:

Fake or stolen identities on professional networks like LinkedIn and freelance platforms like Upwork to integrate into the job market [1][5].
VPN services to mask their IP addresses and locations during applications and communications [1].
Shared online collaboration tools such as Google Docs to coordinate operations covertly across team members [5].

The hackers also exploit lax hiring and remote work policies at crypto firms, leveraging remote onboarding procedures and weaker verification standards to get hired. In response, companies like Coinbase have implemented stricter controls, including mandatory U.S. in-person orientation, citizenship requirements for sensitive roles, and biometric verification to block these infiltration attempts [4].

In June 2025, the team was linked to a $680,000 crypto exploit, according to ZachXBT. The team's activities were not sophisticated cyber-espionage but a grinding attempt to hold onto jobs long enough to extract income. Their weekly reports included personal notes about confusion over assignments and efforts to "put enough heart" into work [2].

Without quick data sharing among hiring companies, the same accounts can cycle through multiple projects before detection. Lack of coordination between private firms and service providers is a main challenge in stopping such operations. Browser history revealed frequent use of Google Translate into Korean and Russian IP addresses, similar to previous DPRK-linked cases [6].

Despite warnings about possible DPRK infiltration, many hiring teams resist these warnings, sometimes becoming combative with investigators [7]. Payments from these jobs often move through Payoneer before being converted into cryptocurrency, providing some traceability [8]. An unnamed source compromised a device belonging to one of the IT workers, revealing a group of five North Korean operatives managing the fake identities [9].

The hackers' communications were conducted in English to pass early screening stages. Hundreds of these workers are competing for remote tech jobs worldwide, making their activities harder to detect [10]. The team used Google tools for coordination, including Google Calendar, Google Sheets, and Google Docs [5].

References: [1] https://www.wired.com/story/north-korea-hackers-crypto-jobs/ [2] https://www.forbes.com/sites/andygreenberg/2021/06/07/north-korean-hackers-are-pretending-to-be-crypto-developers-to-exploit-companies/?sh=613a52a933a9 [3] https://www.zdnet.com/article/north-korean-hackers-are-pretending-to-be-crypto-developers-to-exploit-companies/ [4] https://www.coindesk.com/policy/2021/06/07/coinbase-boosts-security-after-north-korean-hackers-pretend-to-be-crypto-developers/ [5] https://www.cyberint.com/blog/north-korean-hackers-are-pretending-to-be-crypto-developers-to-exploit-companies/ [6] https://www.wired.com/story/north-korea-hackers-crypto-jobs/ [7] https://www.reuters.com/article/us-northkorea-cyber-crypto/crypto-exchanges-warned-of-possible-north-korean-hackers-but-many-resisted-idUSKBN2D32U7 [8] https://www.forbes.com/sites/andygreenberg/2021/06/07/north-korean-hackers-are-pretending-to-be-crypto-developers-to-exploit-companies/?sh=613a52a933a9 [9] https://www.zdnet.com/article/north-korean-hackers-are-pretending-to-be-crypto-developers-to-exploit-companies/ [10] https://www.wired.com/story/north-korea-hackers-crypto-jobs/

North Korean Cryptocurrency Job Seekers Employed Under Multiple False Identities, According to ZachXBT