ZachXBT Uncovers Alleged DPRK Network
ZachXBT Uncovers Alleged DPRK Network
ZachXBT has exposed an alleged DPRK-linked IT network generating $1 million monthly through crypto payments. The leaked material includes 390 accounts, chat logs, and fake identities.
Introduction to the Alleged DPRK Network
The alleged network used crypto-to-fiat rails to move funds at scale, with $3.5 million in processed payments since late November 2025. The leaked records point to a system that allegedly used fake identities, internal messaging, and crypto transactions.
Structure and Security of the Network
Internal Payment Server
The internal payment server, known as luckyguys.site or WebMsg, was used by workers to report payments to handlers. Some users never changed the default password, 123456, a significant weakness for an operation moving millions.
Sanctioned Entities and Frozen Addresses
The records appear to connect the infrastructure to sanctioned corporate names, including Sobaeksu, Saenal, and Songkwang. ZachXBT also tied internal payment addresses to known DPRK IT worker clusters, including an Ethereum address and a Tron address that Tether froze in December 2025.
Crypto Payments and Illicit Finance
The alleged network's use of crypto payments highlights the flexibility of digital assets in supporting covert financial infrastructure. The same rails that make cross-border value transfer efficient can also make illicit financial infrastructure remarkably durable.
Key Takeaways
- ZachXBT exposed an alleged DPRK-linked IT network generating $1 million monthly through crypto payments.
- The leaked material includes 390 accounts, chat logs, and fake identities.
- The alleged network used crypto-to-fiat rails to move funds at scale, with $3.5 million in processed payments since late November 2025.
- The network's use of crypto payments highlights the flexibility of digital assets in supporting covert financial infrastructure.
Frequently Asked Questions
What is the significance of the alleged DPRK network?
The alleged network's use of crypto payments and fake identities highlights the risks of illicit finance and the need for increased scrutiny of digital asset transactions.
How did ZachXBT uncover the alleged network?
ZachXBT spent long hours analyzing data exfiltrated from an internal North Korean payment server, which included 390 accounts, chat logs, and crypto transactions.
