ZachXBT Unmasks North Korea’s Cyber Army: 30 Fake IT Identities Exposed on Dev Platforms

North Korea's digital infiltration game just got busted wide open. Blockchain sleuth ZachXBT has ripped the mask off a sprawling network of DPRK-linked IT operatives—posing as freelancers across global development platforms using a staggering 30 fake identities.

Shadow IT workforce exposed

These aren't your average script kiddies. The uncovered operation shows military-grade deception tactics, with operatives allegedly building software for unsuspecting Western clients while funneling proceeds back to Pyongyang's crypto coffers. Talk about outsourcing your sanctions evasion.

The crypto connection

While the report doesn't specify exact payment methods, the timing couldn't be more poetic—just as traditional finance institutions are finally warming to blockchain, we get a reminder why decentralized verification matters. Maybe next time VCs fund a "revolutionary" dev platform, they'll check if the engineers actually exist first.

Operational methods and technology stack

The DPRK workers followed a consistent pattern of purchasing Upwork and LinkedIn accounts, buying or renting computers, then using AnyDesk remote access software to conduct work for their employers. 

Expense spreadsheets documented purchases of artificial intelligence subscriptions, VPNs, proxies, and other tools needed to maintain their fake identities.

Meeting schedules and scripts were maintained for each fake identity, including detailed personas like “Henry Zhang” with complete backstories and work histories. 

The workers used a wallet address to send and receive payments, to which ZachXBT linked multiple fraudulent operations.

The wallet address tied the team to the $680,000 Favrr exploit from June 2025, where the company’s CTO and other developers were revealed as DPRK IT workers using fraudulent documents. 

ZachXBT identified the Favrr CTO “Alex Hong” as having a suspicious background with recently deleted LinkedIn profiles and unverifiable work history.

Unsophisticated but persistent

Browser history from the compromised devices showed frequent Google Translate usage with Korean translations while operating from Russian IP addresses. 

The evidence confirmed the workers’ North Korean origins despite their sophisticated English communications and Western personas.

ZachXBT noted the main challenge in combating DPRK IT workers stems from abetween services and the private sector, combined with negligence by hiring teams who become defensive when alerted about potential infiltration.

The workers convert earnings from development work into cryptocurrency through Payoneer, with the investigator noting they are “in no way sophisticated but are persistent since there are so many flooding the job market globally for roles.”

The exposure reveals the scale of North Korean infiltration into Western technology companies, with the compromised operation representing just one team among potentially hundreds operating similar schemes across remote development platforms.