North Korean Devs Swipe $16.5M in Crypto via Fake Job Scam—920+ Roles Hijacked, ZachXBT Reveals

North Korean hackers just schooled Silicon Valley in grift efficiency—turning fake job postings into a $16.5M crypto heist.

How it worked: Lazarus Group 2.0?

Posing as legit recruiters, the operatives compromised up to 920 developer roles across Web3 projects. No flashy code exploits—just old-fashioned LinkedIn phishing with a crypto payout twist.

The finance punchline: VCs will probably fund this 'innovative hiring model' as a SaaS platform by Q3.

ZachXBT's on-chain sleuthing shows the stolen funds already hopping across mixers—because nothing unites decentralized finance like centralized theft.

On-chain investigator ZachXBT revealed extensive North Korean infiltration of cryptocurrency and technology companies through fake employment schemes.

The investigation traces $16.58 million in payments to DPRK IT workers while identifying multiple operational clusters across various projects.

ZachXBT Reveals $16.58 Million in Payments to North Korean Devs

ZachXBT’s investigation uncovers $16.58 million in payments to North Korean IT workers since January 1, 2025, averaging $2.76 million per month through cryptocurrency transactions.

The payment amounts range from $3,000 to $8,000 per month per worker, indicating infiltration of between 345 jobs on the low end and 920 jobs on the high end.

The on-chain sleuth monitors six different clusters of DPRK IT workers. One cluster alone involves 8 different North Korean developers who obtained roles at more than 12 projects.

Payment addresses from this cluster trace back to two consolidation addresses used for fund collection and distribution.

Sandy Nguyen, identified as a DPRK IT worker from this cluster, was spotted via open-source intelligence next to a North Korea flag at an event in Russia.

ZachXBT noted that traditional technology companies face equally severe infiltration problems. But crypto payments create on-chain traceability allowing tracing of fund flows back to hiring companies.

The investigation reveals systematic exploitation of remote work opportunities across multiple industries.

The monthly payment volumes show sustained operations rather than isolated incidents. This suggests organized coordination among North Korean IT workers targeting Western technology companies.

Operational Indicators Expose Systematic Infiltration Methods

ZachXBT identified multiple red flags that teams discovered after hiring North Korean IT workers. That revealed consistent operational patterns across infiltrated projects.

Workers refused in-person meetings with team members despite claiming to live in the same city.

Three IT workers from the same cluster referred each other for roles at the same project. That indicated coordinated infiltration efforts rather than independent job applications.

Staff members supposedly located in California used Russian IP addresses during working sessions, which differed from their purported locations and breached security.

Other suspicious activities include changes in GitHub handle, removal of LinkedIn accounts, and failed periodic KYC verification among many employees.

Payment streams to several IT employees were directed to one cryptocurrency address. This indicates coordinated financial activity behind ostensibly independent contractors.

USDC payments were transferred directly from Circle accounts to three addresses within the observed cluster. Funds moved only a single hop from an April 2023 Tether-blacklisted address belonging to Hyon Sop Sim.

Other DPRK IT worker clusters currently have substantial USDC balances in multiple addresses.

The workers typically execute several functions simultaneously and tend to be fired for poor performance, leading to high turnover.

Once they have discovered how to penetrate teams and claim ownership of contracts, projects are vulnerable to security attacks and potential exploits against protocol infrastructure.

Threat Spills Over Crypto with $2.1 Billion in Heists

ZachXBT also observed that North Korean IT workers now have more and more U.S. exchange accounts like Coinbase and Robinhood, disproving the presumption that domestic exchanges have more stringent KYC/AML conditions than external ones.

MEXC is still extensively utilized by IT personnel in money laundering on-chain through a chain of cryptocurrency trades.

Binance usage by IT personnel has dropped drastically from previous years due to improved detection schemes and collaboration between private institutions and government agencies leading to asset forfeiture.

The arrival of neobanks and fintech platforms that support stablecoin integrations has made it easy for DPRK IT personnel to convert fiat into cryptocurrency.

ZachXBT also states cryptocurrency projects do not possess the largest number of North Korean IT personnel, with more conventional tech companies possessing equally serious or even more serious intrusion issues.

Crypto payments leave on-chain traceability that enables investigators to track money back to the recruiting firms, but fiat payments in regular firms do not have this visibility.

North Korean-associated hacking groups such as Lazarus Group stole about $2.1 billion in cryptocurrency during the first half of 2025.

The largest impact case was the February 2025 $1.5 billion Bybit cryptocurrency exchange heist, where $1.6 billion of the total crypto heists were performed by North Korea-linked attackers.

The author believes the groups employing many DPRK IT staff always indicate startup failure due to the absence of threat sophistication and lack of recruitment attention.