By ZachXBT Compiled by Azuma, Daily Planet Editor's Note: North Korean hackers have always been a major threat to the cryptocurrency market. In the past, victims and industry security professionalsBy ZachXBT Compiled by Azuma, Daily Planet Editor's Note: North Korean hackers have always been a major threat to the cryptocurrency market. In the past, victims and industry security professionals

ZachXBT: After reverse hacking North Korean hackers' equipment, I understand their "working mode"

2025/08/14 19:00
3 min read
For feedback or concerns regarding this content, please contact us at [email protected]

By ZachXBT

Compiled by Azuma, Daily Planet

Editor's Note: North Korean hackers have always been a major threat to the cryptocurrency market. In the past, victims and industry security professionals could only infer North Korean hackers' behavior patterns by reverse engineering related security incidents. However, yesterday, renowned on-chain detective ZachXBT, in a recent tweet, cited an investigation and analysis by a white-hat hacker who reverse-hacked North Korean hackers. This proactive analysis reveals the North Korean hackers' working methods for the first time, potentially providing positive insights into preemptive security measures for industry projects.

The following is the full text of ZachXBT, compiled by Odaily Planet Daily.

An anonymous hacker recently compromised the device of a North Korean IT worker, revealing how a five-person technical team operated over 30 fake identities, using fake government-issued IDs and purchased Upwork and LinkedIn accounts to infiltrate various development projects.

Investigators obtained Google Drive data, Chrome browser profiles, and device screenshots, which revealed that the team relied heavily on Google tools to coordinate work schedules, assign tasks, and manage budgets, with all communications conducted in English.

A weekly report from 2025 revealed the hacker team's work patterns and the difficulties they encountered. For example, one member complained about "not understanding the job requirements and not knowing what to do," but the corresponding solution was to "dedicate yourself and work harder."

Detailed expense records show that their expenditure items include purchasing social security numbers (SSNs), Upwork and LinkedIn account transactions, renting phone numbers, subscribing to AI services, renting computers, and purchasing VPN/proxy services.

One spreadsheet detailed the schedule and scripts for meetings attended by the fictitious "Henry Zhang." The process revealed that these North Korean IT workers would first purchase Upwork and LinkedIn accounts, rent computer equipment, and then complete outsourced work using the AnyDesk remote control tool.

One of the wallet addresses they use to send and receive funds is:

0x78e1a4781d184e7ce6a124dd96e765e2bea96f2c;

This address is closely linked to the $680,000 Favrr protocol attack in June 2025. Its CTO and other developers were later confirmed to be North Korean IT workers with forged credentials. This address has also been used to identify North Korean IT personnel involved in other infiltration projects.

The team also found the following key evidence in their search records and browser history.

One might ask, “How can we be sure they are from North Korea?” In addition to all the fraudulent documents detailed above, their search history also shows that they frequently use Google Translate and translate into Korean using a Russian IP.

Currently, the main challenges for enterprises in preventing North Korean IT workers are as follows:

  • Lack of systematic collaboration: There is a lack of effective information sharing and cooperation mechanisms between platform service providers and private enterprises;
  • Employer oversight: Hiring teams often become defensive after receiving risk warnings, or even refuse to cooperate with investigations;
  • Impact of numerical advantage: Although its technical means are not complicated, it continues to penetrate the global job market with its huge base of job seekers;
  • Funding conversion channels: Payment platforms such as Payoneer are frequently used to convert fiat currency income from development work into cryptocurrency;

I have introduced the indicators that need attention many times. If you are interested, you can check out my historical tweets. I will not repeat them here.

Market Opportunity
Major Logo
Major Price(MAJOR)
$0.03443
$0.03443$0.03443
-0.72%
USD
Major (MAJOR) Live Price Chart

World Cup Combo: Aim for 200x

World Cup Combo: Aim for 200xWorld Cup Combo: Aim for 200x

Combine up to 20 World Cup matches in one order

Disclaimer: The articles reposted on this site are sourced from public platforms and are provided for informational purposes only. They do not necessarily reflect the views of MEXC. All rights remain with the original authors. If you believe any content infringes on third-party rights, please contact [email protected] for removal. MEXC makes no guarantees regarding the accuracy, completeness, or timeliness of the content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be considered a recommendation or endorsement by MEXC.

You May Also Like

Not a loophole: Singapore AI export controls let China tap US AI legally

Not a loophole: Singapore AI export controls let China tap US AI legally

American AI technology is reaching Chinese tech giants through a route that US export controls were never designed to close: Singapore. The city-state sits outside
Share
The Cryptonomist2026/07/10 14:46
CME Group to launch Solana and XRP futures options in October

CME Group to launch Solana and XRP futures options in October

The post CME Group to launch Solana and XRP futures options in October appeared on BitcoinEthereumNews.com. CME Group is preparing to launch options on SOL and XRP futures next month, giving traders new ways to manage exposure to the two assets.  The contracts are set to go live on October 13, pending regulatory approval, and will come in both standard and micro sizes with expiries offered daily, monthly and quarterly. The new listings mark a major step for CME, which first brought bitcoin futures to market in 2017 and added ether contracts in 2021. Solana and XRP futures have quickly gained traction since their debut earlier this year. CME says more than 540,000 Solana contracts (worth about $22.3 billion), and 370,000 XRP contracts (worth $16.2 billion), have already been traded. Both products hit record trading activity and open interest in August. Market makers including Cumberland and FalconX plan to support the new contracts, arguing that institutional investors want hedging tools beyond bitcoin and ether. CME’s move also highlights the growing demand for regulated ways to access a broader set of digital assets. The launch, which still needs the green light from regulators, follows the end of XRP’s years-long legal fight with the US Securities and Exchange Commission. A federal court ruling in 2023 found that institutional sales of XRP violated securities laws, but programmatic exchange sales did not. The case officially closed in August 2025 after Ripple agreed to pay a $125 million fine, removing one of the biggest uncertainties hanging over the token. This is a developing story. This article was generated with the assistance of AI and reviewed by editor Jeffrey Albus before publication. Get the news in your inbox. Explore Blockworks newsletters: Source: https://blockworks.co/news/cme-group-solana-xrp-futures
Share
BitcoinEthereumNews2025/09/17 23:55
Iran’s army chief warns of ‘total destruction’ for ground invasion

Iran’s army chief warns of ‘total destruction’ for ground invasion

The post Iran’s army chief warns of ‘total destruction’ for ground invasion appeared on BitcoinEthereumNews.com. Iran’s army chief warned of “total destruction”
Share
BitcoinEthereumNews2026/04/02 18:15

Activate to Enjoy Special Perks

Activate to Enjoy Special PerksActivate to Enjoy Special Perks

Access 0 fees, premium support, and loss coverage.