ZachXBT: North Korean IT personnel exposed for manipulating 30+false identities, involved in $680000 attack

According to ZachXBT, a source hacked into the equipment of North Korean IT personnel and discovered that their small team obtained developer positions through over 30 false identities, used government IDs to purchase Upwork and LinkedIn accounts, and conducted work through AnyDesk. The relevant data includes Google Drive exports, Chrome configuration files, and screenshots. The wallet address 0x78e1 is closely related to the June 2025 Favrr platform $680000 attack, and more North Korean IT personnel have also been identified. The team uses Google products to schedule tasks, purchase SSN, AI subscriptions, VPN, etc. Partial browsing history shows frequent use of Google Translate to translate Korean, with an IP address in Russia. The neglect of recruiters and the lack of collaboration between services have become the main challenges in combating such behavior.