ZachXBT probes DPRK devs behind Web3 attacks, exposing a $16.58M trail to fake workers and insider threats. Its investigation uncovered 6 DPRK clusters successfully embedded in more than 12 crypto projects. Considering that its participants received a total of $16.58M in payments since January 2025, with salary estimates ranging from $3K to $8K per month. While approximate, this corresponds to 345 – 920 job positions across crypto projects, DeFi platforms, and tech companies. In other words, ZachXBT is asserting the existence of a truly large-scale network with numerous actors and a developed infrastructure. Let’s examine its findings closely.
Bonus Tip: Deposit $500 or more on Phemex and get up to $650 back in trading rewards — exclusive to Bitcoinsensus readers. Learn more here.
More on ZachXBT’s Findings and the Scale of the Underground DPRK IT Structure
1/ My recent investigation uncovered more than $16.58M in payments since January 1, 2025 or $2.76M per month has been sent to North Korean IT workers hired as developers at various projects & companies.
— ZachXBT (@zachxbt) July 2, 2025
To put this in perspective payments range from $3K-8K per month meaning… pic.twitter.com/pjHZG9wJ4r
So, ZachXBT reports about at least six active DPRK ITW clusters, one of which is documented in detail. This cluster included eight accounts linked to North Korean IT specialists who held roles in more than 12 crypto projects. ZachXBT also conducted on-chain analysis that revealed payment transfers to two consolidation addresses:
- 0x58225fed0714e5b9b235642eba7dae3714090a2d
- 0xa7f9555c34626eb81b64774356a40ca1a6a794ca
It is worth noting that ZachXBT behaves highly professionally and avoids premature statements. Five additional clusters are on track, but their details haven’t yet been published. ZachXBT also notes that participants in such clusters often hold several roles simultaneously but demonstrate high turnover due to low qualifications.
There are several other red flags, for example:
- Refusal to meet in person while declaring presence in the same city
- Cross-referrals between multiple DPRK ITWs in one project
- Mismatch between geolocation and IP (e.g., Russian IPs with declared California location)
- Deleted LinkedIn profiles, changed GitHub usernames
- Matching addresses for receiving payments
- Individual accounts also failed basic KYC checks
3/ Sandy Nguyen (@bullishgopher) a DPRK ITW from this cluster was spotted via OSINT next to the North Korea flag at an event in Russia.
— ZachXBT (@zachxbt) July 2, 2025
A small group of people still believe North Korean devs are just a conspiracy despite all of the IOCs, research, etc widely available. pic.twitter.com/itcRoZSlQ3
ZachXBT specifically highlighted that one of the identified DPRK ITWs, known as Sandy Nguyen (@bullishgopher), was recorded at an event in Russia next to a DPRK flag, which strengthened OSINT confirmation of his ties.
The analysis also showed that USDC was transferred directly from Circle accounts to three addresses belonging to one of the DPRK clusters. One of them was only one hop away from an address added to the Tether blacklist in April 2023 due to ties with Hyon Sop Sim. Other DPRK ITW clusters also hold significant amounts of USDC. In this regard, ZachXBT criticized Circle’s positioning as the most “compliant stablecoin,” stating that the platform does not provide proper channels for reporting illicit activity and does not engage in incident management during major exploits.
ZachXBT also refutes the opinion that the problem is limited only to crypto projects. The analysis shows that tech companies and traditional fintechs exhibit the same vulnerability. At the same time, fiat payments are almost impossible to trace, unlike on-chain tracing of crypto, especially USDC. The growth of neo-banks and fintech platforms with stablecoin integration has simplified DPRK ITWs’ access to fiat-to-crypto on-ramping operations.
Bonus Tip: Deposit $500 or more on Phemex and get up to $650 back in trading rewards — exclusive to Bitcoinsensus readers. Learn more here.
Conclusion
As usual, ZachXBT has conducted strong analytical work, and I would definitely expect updates on this investigation, which he promises. First, it may provide additional evidence that would allow more definitive conclusions. Second, it could further help the industry more precisely identify the depth and scale of the problem.
However, a certain degree of DPRK infiltration likely exists. And companies should pay close attention to the level of security not only on the technical but also on the human layer. This is an absolute necessity as increasing capital is entering blockchain and crypto companies, and financial firms are already competing with traditional banks in terms of volume.
