Exposed: How North Korean IT Operatives Exploit Google Docs, Upwork & LinkedIn to Fuel Crypto Schemes
Silicon Valley tools turned weapons in Pyongyang's digital heist.
Subheader: The freelancer facade cracks open
They posed as remote developers—coding, designing, and collaborating like any global team. Except their paychecks flowed straight to Kim Jong-un's nuclear program. A sprawling network of DPRK operatives has been caught hijacking mainstream platforms to funnel crypto earnings past international sanctions.
Subheader: Cloud-based sanctions busting
Google Docs became their coordination hub. LinkedIn profiles—meticulously crafted with stolen identities—landed them contracts on Upwork. Payments? Always in crypto. Monero for privacy, Bitcoin for liquidity, Ethereum for smart contract obfuscation. The perfect trifecta to bypass SWIFT and Office of Foreign Assets Control (OFAC) surveillance.
Subheader: The compliance wake-up call
While Wall Street still debates blockchain's 'real use cases,' authoritarian regimes are executing billion-dollar heists under its nose. Maybe decentralized finance should focus less on ape JPEGs and more on, say, preventing nuclear proliferation?
DPRK Operatives Flood Crypto Job Market
According to ZachXBT’s tweets, the DPRK team reportedly used government-issued IDs to register accounts on Upwork and LinkedIn, to obtain developer roles on multiple projects. Investigators found an export of the workers’ Google Drive, Chrome profiles, and screenshots, which revealed that Google products were central to organizing schedules, tasks, and budgets, with communications primarily conducted in English.
Among the documents is a 2025 spreadsheet containing weekly reports from team members, which shed light on their internal operations and mindset. Typical entries included statements such as “I can’t understand the job requirement, and don’t know what I need to do,” with self-directed notes like “Solution / fix: Put enough efforts in heart.”
Another spreadsheet tracks expenses, showing purchases of Social Security numbers, Upwork and LinkedIn accounts, phone numbers, AI subscriptions, computer rentals, and VPN or proxy services. Meeting schedules and scripts for fake identities, including one under the name “Henry Zhang,” were also recovered.
The team’s operational methods reportedly involved purchasing or renting computers, using AnyDesk to perform work remotely, and converting earned fiat into cryptocurrency via Payoneer. One wallet address, 0x78e1, associated with the group is linked on-chain to a $680,000 exploit at Favrr in June 2025, where the project’s CTO and other developers were later identified as DPRK IT workers using fraudulent documents. Additional DPRK-linked workers were connected to projects via the 0x78e1 address.
Indicators of their North Korean origin include frequent use of Google Translate for Korean-language searches conducted from Russian IP addresses. ZachXBT said that these IT workers are not particularly sophisticated, but their persistence is bolstered by the sheer number of roles they target across the world.
Challenges in countering these operations include poor collaboration between private companies and services, as well as resistance from teams when fraudulent activity is reported.
North Korea’s Persistent Threat
North Korean hackers, notably the Lazarus Group, continue to pose a significant threat to the industry. In February 2025, the group orchestrated the largest crypto exchange hack in history, as it stole approximately $1.5 billion in Ethereum from Dubai-based Bybit.
The attack exploited vulnerabilities in a third-party wallet provider, Safe{Wallet}, which allowed the hackers to bypass multi-signature security measures and siphon funds into multiple wallets. The FBI attributed the breach to North Korean operatives, labeling it “TraderTraitor”.
Subsequently, in July 2025, CoinDCX, an Indian cryptocurrency exchange, fell victim to a $44 million heist, which was also linked to the Lazarus Group. The attackers infiltrated CoinDCX’s liquidity infrastructure, exploiting exposed internal credentials to execute the theft.
