1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions. I spent long hours going through all of it, none of which has ever been publicly released. It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion. Enjoy the findings!2/ A DPRK IT worker had their device compromised via infostealer. Extracted data included IPMsg chat logs, fake identities, and browser history. Digging through the IPMsg logs revealed this site being discussed: luckyguys[.]site An internal payment remittance platform, essentially a Discord-style messenger used by DPRK IT workers to report payments back to their handlers.3/ The site's default password was 123456, which remained unchanged for ten users. The user list included roles, Korean names, cities, and coded group names consistent with DPRK IT worker operations. Three companies which appeared are currently OFAC sanctioned: Sobaeksu, Saenal, & Songkwang.4/ Here is one of the WebMsg users 'Rascal' and their DMs with PC-1234 detailing payment transfers and the use of fraudulent identities from December 2025 through April 2026. All payments are processed and confirmed through the server admin account: PC-1234. Addresses in Hong Kong were used for bills and goods, though the authenticity of it requires further verification.5/ Since late November 2025 $3.5M+ was received across the payment wallet addresses. The remittance pattern was consistent across users: Users transfer crypto originating from an exchange or service, or convert to fiat via Chinese bank accounts through platforms like Payoneer. PC-1234 then confirms receipt and provides account credentials, varying between crypto exchanges and fintech payment platforms depending on the user.6/ Using the full dataset I mapped out the complete organizational structure of the network, including payment totals per user and group. The interactive org chart can be accessed here: Password: 123456 Note: Data range is Dec 2025 through Feb 2026. Payment totals are derived from scraped transaction data and may vary slightly.7/ Tracing the internal payment addresses revealed links onchain to several attributed DPRK IT worker's from known clusters. The Tron payment address was frozen by Tether in December 2025. Payment addresses: 0xb51DA55047Fd899aD08Ab5CE349823664d311998 TSxYS91qoXrJUoMhWaQfMz9p2b7FTw57L38/ Jerry's compromised device shows usage of Astrill VPN and various fake personas applying for jobs. An internal Slack showed 'Nami' sharing a blog post about a DPRK IT worker deepfake job applicant. A second user asked if it was them, while a third noted they aren't allowed to share external links. Another screenshot shows 33 DPRK IT workers communicating on the same network via IPMsg.9/ Jerry actively discussed stealing from a project with another DPRK IT worker via Nigerian proxy targeting Arcano, a GalaChain game. However, it remains unclear if the attack later materialized.10/ The admin sent 43 examples of Hex-Rays/IDA Pro training modules to the group from Nov 2025 to Feb 2026. The trainings covered disassembly, decompilation, local and remote debugging, and various cybersecurity topics. A link sent on November 20 explicitly stated: 'using-ida-debugger-to-unpack-an-hostile-pe-executable'11/ This cluster of DPRK IT worker activity is less sophisticated compared to groups like AppleJeus and TraderTraitor, which operate far more efficiently and present the greatest risks to the industry. I previously estimated DPRK IT workers generate multiple seven figures per month in revenue, and the data here supports that. Unpopular opinion: threat actors are leaving an opportunity on the table by not targeting low-tier DPRK groups. The risk of repercussions is low, competition is minimal, and the targets are arguably deserving. I plan to continue building out with future findings. Special thanks to @domain for helping me purchase two premium domains.

1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions. I spent long hours going through all of it, none of which has ever been publicly released. It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion. Enjoy the findings! ... 2/ A DPRK IT worker had their device compromised via infostealer. Extracted data included IPMsg chat logs, fake identities, and browser history. Digging through the IPMsg logs revealed this site being discussed: luckyguys[.]site An internal payment remittance platform, essentially a Discord-style messenger used by DPRK IT workers to report payments back to their handlers. ... 3/ The site's default password was 123456, which remained unchanged for ten users. The user list included roles, Korean names, cities, and coded group names consistent with DPRK IT worker operations. Three companies which appeared are currently OFAC sanctioned: Sobaeksu, Saenal, & Songkwang. ... 4/ Here is one of the WebMsg users 'Rascal' and their DMs with PC-1234 detailing payment transfers and the use of fraudulent identities from December 2025 through April 2026. All payments are processed and confirmed through the server admin account: PC-1234. Addresses in Hong Kong were used for bills and goods, though the authenticity of it requires further verification. ... 5/ Since late November 2025 $3.5M+ was received across the payment wallet addresses. The remittance pattern was consistent across users: Users transfer crypto originating from an exchange or service, or convert to fiat via Chinese bank accounts through platforms like Payoneer. PC-1234 then confirms receipt and provides account credentials, varying between crypto exchanges and fintech payment platforms depending on the user. ... 6/ Using the full dataset I mapped out the complete organizational structure of the network, including payment totals per user and group. The interactive org chart can be accessed here: Password: 123456 Note: Data range is Dec 2025 through Feb 2026. Payment totals are derived from scraped transaction data and may vary slightly. ... 7/ Tracing the internal payment addresses revealed links onchain to several attributed DPRK IT worker's from known clusters. The Tron payment address was frozen by Tether in December 2025. Payment addresses: 0xb51DA55047Fd899aD08Ab5CE349823664d311998 TSxYS91qoXrJUoMhWaQfMz9p2b7FTw57L3 ... 8/ Jerry's compromised device shows usage of Astrill VPN and various fake personas applying for jobs. An internal Slack showed 'Nami' sharing a blog post about a DPRK IT worker deepfake job applicant. A second user asked if it was them, while a third noted they aren't allowed to share external links. Another screenshot shows 33 DPRK IT workers communicating on the same network via IPMsg. ... 9/ Jerry actively discussed stealing from a project with another DPRK IT worker via Nigerian proxy targeting Arcano, a GalaChain game. However, it remains unclear if the attack later materialized. ... 10/ The admin sent 43 examples of Hex-Rays/IDA Pro training modules to the group from Nov 2025 to Feb 2026. The trainings covered disassembly, decompilation, local and remote debugging, and various cybersecurity topics. A link sent on November 20 explicitly stated: 'using-ida-debugger-to-unpack-an-hostile-pe-executable' ... 11/ This cluster of DPRK IT worker activity is less sophisticated compared to groups like AppleJeus and TraderTraitor, which operate far more efficiently and present the greatest risks to the industry. I previously estimated DPRK IT workers generate multiple seven figures per month in revenue, and the data here supports that. Unpopular opinion: threat actors are leaving an opportunity on the table by not targeting low-tier DPRK groups. The risk of repercussions is low, competition is minimal, and the targets are arguably deserving. I plan to continue building out with future findings. Special thanks to @domain for helping me purchase two premium domains.