ZachXBT Publishes Leaked DPRK Payment Data Showing $1M Monthly Crypto-to-Fiat Pipeline

Key Takeaways:

• ZachXBT’s April 8 probe exposed a DPRK IT idiosyncratic outgo server that processed implicit $3.5 cardinal since precocious November 2025.
• Three OFAC-sanctioned entities, Sobaeksu, Saenal, and Songkwang, appeared successful the breached idiosyncratic database from luckyguys.site.
• The interior DPRK tract went offline connected April 9, 2026, but ZachXBT archived each information earlier publishing the 11-part thread.

North Korean Hackers Used Default Password ‘123456’ connected Internal Crypto Payment Server

The leaked information came from a DPRK IT worker’s instrumentality compromised by infostealer malware. An unnamed root shared the files with ZachXBT, who confirmed the worldly had ne'er been publically released. The extracted records included astir 390 accounts, IPMsg chat logs, fabricated identities, browser history, and cryptocurrency transaction records.

The interior level astatine the halfway of the probe was luckyguys.site, besides referred to internally arsenic WebMsg. It functioned arsenic a Discord-style messenger, allowing DPRK IT workers to study payments to their handlers. At slightest 10 users had ne'er changed the default password, which was acceptable to “123456.”

The idiosyncratic database contained roles, Korean names, cities, and coded radical names accordant with known DPRK IT idiosyncratic operations. Three companies appearing successful the list, Sobaeksu, Saenal, and Songkwang, are presently sanctioned by the U.S. Treasury’s Office of Foreign Assets Control.

Payments were confirmed done a cardinal admin relationship identified arsenic PC-1234. ZachXBT shared nonstop connection examples from a idiosyncratic nicknamed “Rascal,” which elaborate transfers tied to fraudulent identities spanning December 2025 done April 2026. Some messages referenced Hong Kong addresses for bills and goods, though their authenticity was not verified.

The associated outgo wallet addresses received much than $3.5 cardinal during that period, equating to astir $1 cardinal per month. Workers utilized forged ineligible documents and fake identities to get employment. Crypto was either transferred straight from exchanges oregon converted to fiat done Chinese slope accounts utilizing platforms similar Payoneer. The admin relationship PC-1234 past confirmed receipt and distributed credentials for assorted crypto and fintech platforms.

Onchain investigation tied the interior outgo addresses to known clusters of DPRK IT workers. Two circumstantial addresses were identified: an Ethereum code and a Tron code that Tether froze successful December 2025.

ZachXBT utilized the afloat dataset to representation the implicit organizational operation of the network, including outgo totals per idiosyncratic and per group. He published an interactive org illustration covering December 2025 done February 2026 astatine investigation.io/dprk-itw-breach, accessible with the password “123456.”

The compromised instrumentality and chat logs produced further details. Workers utilized Astrill VPN and fake personas to use for jobs. Internal Slack discussions included a station from a idiosyncratic named “Nami” sharing a blog astir a DPRK idiosyncratic deepfake applicant. The admin besides sent 43 Hex-Rays and IDA Pro grooming modules to workers betwixt November 2025 and February 2026, covering disassembly, decompilation, and debugging. One shared nexus specifically addressed unpacking hostile PE executables.

Thirty-three DPRK IT workers were recovered communicating done the aforesaid IPMsg network. Separate log entries referenced plans to bargain from Arcano, a GalaChain game, utilizing a Nigerian proxy, though the result of that effort was not wide from the data.

ZachXBT characterized this clump arsenic little operationally blase than higher-tier DPRK groups specified arsenic Applejeus oregon Tradertraitor. He antecedently estimated that DPRK IT workers collectively make aggregate 7 figures per month. He noted that low-tier groups similar this 1 pull menace actors due to the fact that the hazard is debased and contention is minimal.

The luckyguys.site domain went offline connected Thursday, the time aft ZachXBT published his findings. He confirmed the afloat dataset was archived earlier the tract was taken down.

The probe offers a nonstop presumption into however DPRK IT idiosyncratic cells cod payments, support fake identities, and determination wealth done crypto and fiat systems, with documentation that shows some the standard and the operational gaps these groups trust connected to enactment active.