North Korean leader Kim Jong-un is suspected of hiring 21 North Korean IT personnel to participate in at least 25 encryption projects, making at least more than $500,000 in monthly profits

Blockchain investigator ZachXBT claims to have uncovered a network of North Korean developers involved in multiple cryptocurrency projects, allegedly earning between $300,000 to $500,000 monthly.

ZachXBT, known for his blockchain investigative work, shared his findings on 15 August. He asserts that at least 21 developers are working on over 25 crypto projects, with significant amounts of money being funnelled to a single entity, possibly operating out of North Korea.

$1.3M Theft and Laundering Scheme

ZachXBT was contacted by a crypto team seeking help after discovering a $1.3 million theft from their treasury. Unbeknownst to them, they had hired North Korean IT workers who executed the theft using malicious code.

Theft address：6USfQ9BX33LNvuR44TXr8XKzyEgervPcF4QtZZfWMnet

The stolen funds were then laundered through several transactions, eventually leading to 16.5 Ether being split between two different exchanges.

Evidence of a Larger Operation

Upon further investigation, ZachXBT traced multiple payment addresses linked to the developers. He discovered a cluster that had received $375,000 in the last month alone, with past transactions totalling $5.5 million, which were deposited into an exchange address from mid-2023 onwards.

These financial flows were traced back to IT workers in North Korea and were connected to individuals such as Sim Hyon Sop, who is sanctioned by the Office of Foreign Assets Control (OFAC) for financing North Korea’s weapons programmes. Another individual, Sang Man Kim, also linked to DPRK-related cybercrime, was found to have connections to the same network.

North Korean leader Kim Jong-un suspected of involvement

US law enforcement suspects that Kim is “involved in the payment of salaries to family members of Chinyong’s overseas DPRK worker delegations” and has received $2 million in crypto for the sale of IT equipment to DPRK-affiliated teams in China and Russia.

Further digging revealed that some developers involved had Russian Telecom IP overlaps, even though they claimed to be based in the United States or Malaysia. At least one worker inadvertently exposed their other identities on a notepad.

These developers were often placed by recruitment companies, with some even referring each other for jobs. ZachXBT notes that many experienced teams unknowingly hired these North Korean developers.

North Korea is notorious in the crypto industry

North Korean organisations have been linked to numerous cyberattacks and scams over the years. Their tactics often include phishing, software exploitation, cyber intrusions, and infiltration.

The US government has previously warned about the increasing presence of North Korean workers in freelance tech jobs, especially within the crypto industry.

The notorious Lazarus Group, connected to North Korea, has reportedly stolen over $3 billion in cryptocurrency in recent years.