Silent Infiltration: North Korean IT Workers Funnel $16.58 Million Through Hundreds of Remote Jobs

In a detailed investigation shared on July 2, on-chain detective ZachXBT revealed that North Korean (DPRK) IT workers have quietly infiltrated hundreds of remote jobs worldwide, funneling more than $16.58 million since January 1, 2025.

The revelation comes after ZachXBT first hinted at the severity of the issue on June 27. His latest findings estimate that these IT workers are securing approximately $2.76 million per month, with individual salaries ranging from $3,000 to $8,000 per month. Based on this, North Korean operatives are estimated to have infiltrated between 345 and 920 developer positions globally.

“It’s depressing how many teams hire DPRK IT workers when basic due diligence would likely have prevented it,” ZachXBT emphasized.

Notably, the total payments uncovered do not include funds stolen through known exploits conducted by these operatives in prior incidents involving platforms such as LND, ChainSaw, Favrr, Munchables, and Dream.

Deep Dive Into The Network

In his post, ZachXBT shared an on-chain visual tracing one of six North Korean IT worker clusters he has been actively monitoring. Within this cluster alone, he successfully attributed eight DPRK IT workers working across more than 12 different projects. He tracked their payment flows to two key consolidation addresses, providing clear evidence of their coordinated financial networks.

“They typically take on multiple roles at once and frequently get fired due to underperformance so turnover is high,” ZachXBT noted. “Once they infiltrate a team and take ownership of contracts your project becomes at risk of an incident.”

ZachXBT highlighted that DPRK IT workers are increasingly using US-based exchanges like Coinbase and Robinhood, despite their strict KYC policies. MEXC has now become a preferred laundering hub, while Binance, once heavily used, is rarely involved today due to improved detection and stronger industry collaboration.

Broader Implications

ZachXBT also stressed that while the focus is often on crypto projects, traditional tech companies are equally affected, if not more. Unlike crypto payments that leave on-chain trails, fiat payments in traditional companies are much harder to trace, making it more difficult to alert employers.

The rise of neobanks and fintech platforms integrating stablecoins has further simplified the on-ramp process from fiat to crypto for these operatives, expanding their reach beyond the crypto-native ecosystem.

Recent Exploits Tied To DPRK IT Workers

ZachXBT has been actively tracking DPRK hacker activity and their growing involvement in project compromises. On June 27, ZachXBT revealed that over $1 million was stolen in a series of NFT exploits linked to a DPRK IT worker cluster accidentally hired as developers.

Targets included Replicandy by Pepe creator Matt Furie and ChainSaw. On June 18, the attacker withdrew mint proceeds, unpaused minting, mass-minted NFTs, and dumped them into bids, collapsing the floor price to zero. On June 23, the same attacker took over ChainSaw’s Peplicator, Hedz, and Zogz and repeated the same attack.

Another project, Favrr, a Web3 fandom trading platform, was exploited for over $680,000 on June 25.

Bybit Hack Marks One of Crypto’s Largest Heists, Tied to North Korea’s Lazarus Group

While these NFT exploits are among the more recent incidents, North Korean cyberattacks have been ongoing for years, including one of the largest crypto heists in history. In February 2025, Dubai-based exchange Bybit experienced a significant security breach, with hackers stealing roughly $1.4 billion from its Ethereum cold wallets, making it one of the largest losses in cryptocurrency history. The incident was linked to the Lazarus Group, a cybercrime organization widely believed to be backed by North Korea.

This record-breaking breach is just one example of North Korea’s extensive cyber theft campaigns that have spanned several years and continue to grow. A report by U.S. cybersecurity firm Recorded Future, published in November 2023, estimated that North Korean hackers have stolen approximately $3 billion in cryptocurrency since 2017. In 2020, the United States placed North Korean nationals associated with the Lazarus Group on its Cyber Most Wanted list. Still, the chances of capturing them are slim unless they leave North Korea.

The scale and persistence of North Korean IT worker infiltration highlight a growing blind spot across both the crypto and traditional tech sectors. These operatives have not only funneled millions through legitimate payroll channels but have also actively exploited the projects that unknowingly hired them. As ZachXBT’s investigation shows, the threat is not limited to high-profile hacks; it is embedded in the daily operations of companies that overlook basic due diligence.