North Korean IT Operatives Deployed 30+ Fake Identities in Brazen Crypto Company Infiltration

Pyongyang's digital mercenaries just leveled up their hacking game—and crypto firms are in the crosshairs.

How they did it: A sprawling network of fabricated personas bypassed KYC checks at exchanges. Think LinkedIn profiles with Stanford degrees, GitHub repos full of copied code, and references from 'former colleagues' who never existed.

The payload: While regulators were busy debating stablecoin definitions, these operatives allegedly siphoned seven figures' worth of digital assets—proving once again that in crypto, the only 'decentralized' thing is accountability.

Inside the operation

The compromised device showed that the small team — six members in total — shared at least 31 fake identities. To land blockchain development jobs, they amassed government-issued IDs and phone numbers, even buying LinkedIn and Upwork accounts to complete their cover.

An interview script found on the device showed them boasting of experience at well-known blockchain firms, including Polygon Labs, OpenSea, and Chainlink.

Google tools were central to their organized workflow. The threat actors were found to be using drive spreadsheets to track budgets and schedules, while Google Translate bridged the language gap between Korean and English. 

Among the information pulled from the device was a spreadsheet that showed IT workers were renting computers and paying for VPN access to buy fresh accounts for their operations.

The team also relied on remote access tools such as AnyDesk, allowing them to control client systems without revealing their true locations. VPN logs tied their activity to multiple regions, masking North Korean IP addresses.

Additional findings revealed the group looking up ways to deploy tokens across different blockchains, scouting AI firms in Europe, and mapping out fresh targets in the crypto space.

North Korean threat actors use remote jobs

ZachXBT found the same pattern flagged in multiple cybersecurity reports — North Korean IT workers landing legitimate remote jobs to slip into the crypto sector. By posing as freelance developers, they gain access to code repositories, backend systems, and wallet infrastructure.

One document uncovered on the device was interview notes and preparation materials likely meant to be kept on-screen or nearby during calls with potential employers.