This article is from: ZachXBT

Translation | Odaily Planet Daily (@OdailyChina); Translator | Azuma (@azuma_eth)

Editor's Note: North Korean hackers have always been a significant threat to the cryptocurrency market. In previous years, victims and industry security personnel could only speculate on the behavior patterns of North Korean hackers by reverse engineering each relevant security incident. However, yesterday, well-known on-chain detective ZachXBT cited an analysis from a white-hat hacker who reverse-hacked North Korean hackers in his latest tweet, revealing for the first time the "work" methods of North Korean hackers from a proactive perspective, which may have certain positive implications for preemptive security measures in industry projects.

Below is the full text from ZachXBT, translated by Odaily Planet Daily.

An anonymous hacker, who wishes to remain unnamed, recently hacked into the device of a North Korean IT worker, exposing the inner workings of a five-person technical team manipulating over 30 fake identities for their activities. This team not only held government-issued fake identification documents but also infiltrated various development projects by purchasing Upwork/LinkedIn accounts.

Investigators obtained their Google Drive data, Chrome browser profiles, and device screenshots. The data shows that the team heavily relied on Google tools to coordinate work schedules, task assignments, and budget management, with all communications conducted in English.

A weekly report document from 2025 revealed the working patterns of this hacker team and the difficulties they encountered during that period, for example, one member complained about "not understanding the work requirements and not knowing what to do," and the corresponding solution column surprisingly stated "put in effort and double down"…

The expenditure details recorded show that their expenses included the purchase of Social Security Numbers (SSNs), transactions for Upwork and LinkedIn accounts, phone number rentals, AI service subscriptions, computer rentals, and VPN/proxy service procurement, among others.

One spreadsheet detailed the schedule and script for attending meetings under the fake identity "Henry Zhang." The operational process shows that these North Korean IT workers would first purchase Upwork and LinkedIn accounts, rent computer equipment, and then complete outsourced work using AnyDesk remote control tools.

One of the wallet addresses they used for receiving and sending funds is: 0x78e1a4781d184e7ce6a124dd96e765e2bea96f2c;

This address is closely linked on-chain to the $680,000 Favrr protocol attack incident that occurred in June 2025, which was later confirmed to involve its CTO and other developers who were North Korean IT workers holding fake documents. Other North Korean IT personnel involved in infiltration projects were also identified through this address.

The team's search records and browser history also revealed the following key evidence.

Some may ask, "How can we confirm they are from North Korea?" In addition to all the fraudulent documents detailed above, their search history shows they frequently used Google Translate and translated into Korean using Russian IPs.

Currently, the main challenges for companies in preventing North Korean IT workers focus on the following aspects:

• Lack of systematic collaboration: There is a lack of effective information sharing and cooperation mechanisms between platform service providers and private enterprises;
• Employer oversight: Hiring teams often exhibit a defensive attitude after receiving risk warnings, even refusing to cooperate with investigations;
• Quantity advantage impact: Although their technical means are not complex, they continuously infiltrate the global job market with a large pool of job seekers;
• Fund conversion channels: Payment platforms like Payoneer are frequently used to convert fiat income from development work into cryptocurrency;

I have introduced several indicators to watch out for multiple times, and those interested can refer to my historical tweets; I will not repeat them here.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。