Recommended

#BTCCOGWEEK: Celebrate the Classics of Meme Coins
Crypto Deposit Make instant crypto transfers to your futures account
USDT-M Perpetual Futures Trade futures contracts settled in USDT
VIP Fee Discounts Enjoy different fee discounts based on your VIP level
Coin-M Perpetual Futures Trade futures contracts settled in cryptocurrency
Fiat Deposit Buy your favourite coins in seconds
Affiliates Invite friends & get rewarded
Convert Covert your crypto instantly
Support Centre Find our FAQs here
Announcements Find all our official announcements
BTCC Academy Learn about blockchain and crypto
News The latest trends in the crypto market

Promotions

Referral
Campaigns
Assets
Crypto Deposit
Fiat Deposit
Convert
Transfer
Withdraw
My vouchers
Fund history
Dashboard
Account Security
Identity verification
API Management
Transaction Report
Log out
Register
BTCC / BTCC Square / H0ldM4st3r /
North Korean Devs Swipe $16.5M in Crypto via Fake Jobs—Up to 920 Roles Exposed, ZachXBT Reveals

North Korean Devs Swipe $16.5M in Crypto via Fake Jobs—Up to 920 Roles Exposed, ZachXBT Reveals

Author:
H0ldM4st3r
Published:
2025-07-04 11:09:01
11
2


Blockchain sleuth ZachXBT uncovers a massive North Korean infiltration scheme where developers posing as remote workers funneled $16.58M from crypto and tech firms since 2025. With payments averaging $2.76M/month and ties to sanctioned addresses, this operation reveals systemic weaknesses in hiring practices—especially in crypto, where chain tracing exposes flows traditional finance misses. Lazarus Group’s $2.1B heists in H1 2025 add context to this shadow workforce.

North Korean developer infiltration graphic

Source: Original investigation visuals by ZachXBT

How Much Did North Korean Devs Steal Through Fake Jobs?

ZachXBT’s bombshell report traces $16.58 million in crypto payments to North Korean IT workers across 345–920 compromised roles since January 2025. Monthly payouts averaged $2.76M, with individual salaries ranging $3K–$8K—suggesting state-coordinated payrolls rather than organic hires. The BTCC analytics team notes these figures likely undercount fiat payments, which lack blockchain’s transparency.

One cluster alone involved 8 developers across 12+ projects, funneling funds to two consolidation addresses. "This isn’t freelance gig work—it’s a payroll system," remarked a BTCC analyst. Transactions linked to blacklisted 2023 addresses (like Hyon Sop Sim’s) confirm ties to sanctioned entities.

What Red Flags Did Companies Miss?

The investigation reveals laughably obvious patterns:

  • Ghosting IRL: Workers claiming to be in California refused in-person meetups, then logged in via Russian IPs.
  • Mutual "Recommendations": Three devs from the same group pushed each other for roles—like a Pyongyang version of LinkedIn.
  • GitHub Graveyards: Sudden repo deletions and vaporized LinkedIn profiles post-hire.

Payment flow chart

Source: ZachXBT’s transaction mapping

Why Is Crypto Both the Problem and Solution?

Paradox alert: While crypto payments enabled these heists, they also allowed tracing. USDC transfers from Circle accounts led directly to cluster addresses. Meanwhile, traditional tech firms face worse infiltration with zero visibility—imagine this scheme with Venmo.

North Korean operatives now exploit fintech integrations: "Neobanks supporting stablecoins became their fiat on-ramps," notes ZachXBT. Though Binance usage dropped post-crackdowns, MEXC remains a laundry favorite.

How Does This Tie to Lazarus’ $2.1B Heists?

The timing screams correlation. In H1 2025 alone, North Korean-linked hackers stole $2.1B in crypto—including Bybit’s $1.5B February breach. ZachXBT suggests these "employees" may have laid groundwork for exploits:

"Once they gain contract ownership, protocols become sitting ducks."

Lazarus Group connections

Source: ZachXBT’s geopolitical mapping

FAQ: Your Burning Questions Answered

How did North Koreans pass KYC?

They didn’t—many failed verification but slipped through anyway. Others used stolen identities or complicit exchanges.

Which companies hired these workers?

ZachXBT withheld names to avoid victim-blaming, but traces show payments from crypto startups and Fortune 500 tech firms.

Why focus on crypto when traditional tech is worse?

Blockchain’s transparency lets us quantify the damage. Your bank wouldn’t even know if it happened to them.

|Square

Get the BTCC app to start your crypto journey

Download on the App Store GEI IT ON Google Play

Get started today Scan to join our 100M+ users

Exchange for a better future

Products
Services
Guides
About Us
Terms & Agreement
Customer Service
Social Media

Risk warning: Digital asset trading is an emerging industry with bright prospects, but it also comes with huge risks as it is a new market. The risk is especially high in leveraged trading since leverage magnifies profits and amplifies risks at the same time. Please make sure you have a thorough understanding of the industry, the leveraged trading models, and the rules of trading before opening a position. Additionally, we strongly recommend that you identify your risk tolerance and only accept the risks you are willing to take. All trading involves risks, so you must be cautious when entering the market.

The world’s longest-running cryptocurrency exchange since 2011 © 2011 - 2025 BTCC.com. All rights reserved