Table of Contents
North Korean Cryptocurrency Payment System Exposed: Over $3.5 Million Processed
A recent leak has unveiled details of a North Korean payment system revealing that more than USD 3.5 million (approximately AUD 5.08 million) in cryptocurrency was processed since late November 2025. This operation, averaging about USD 1 million monthly across 390 accounts using fake identities, highlights the ongoing illicit activities linked to state-sponsored actors from the Democratic People’s Republic of Korea (DPRK).
The investigative thread, published by prominent on-chain analyst ZachXBT, came from a compromised device infected by infostealer malware. This source provided confidential files that had not previously been disclosed. The dataset includes extensive records such as internal communications, fabricated identities, browsing histories, and transaction documents.
The payment system, hosted on luckyguys.site and referred to internally as WebMsg, served as a communication channel for IT workers who managed financial operations. Alarmingly, at least ten accounts were still using the default password “123456,” and the user records contained Korean names, locations, and coded labels linked to known North Korean operations.
Inside the Payment Pipeline
Among the entities listed on this platform, Sobaeksu, Saenal, and Songkwang are under sanctions from the US Treasury. A primary administrative account, known as PC-1234, confirmed payments and provided access credentials for various crypto exchanges and financial services. These records indicate that workers were earning up to USD 1 million monthly by employing fake identities to secure remote developer roles. The funds were often transferred directly from cryptocurrency exchanges or converted to fiat using Chinese bank accounts through platforms such as Payoneer.
Blockchain evidence links several addresses within the leaked dataset to coordinated North Korean operations, including wallets blocked by Tether in December 2025.
Patterns and Network Analysis
ZachXBT identified 33 individuals active within the same network between December 2025 and February 2026. Logs suggest attempts to target a GalaChain-based game called Arcano, which included plans to utilise a Nigerian proxy for operations.
Moreover, the dataset revealed the distribution of 43 training modules related to Hex-Rays and IDA Pro, tools essential for reverse engineering and developing exploits. While ZachXBT noted that this group seemed less sophisticated than well-known North Korean hacking units such as Applejeus or Tradertraitor, they remain functional due to lower risks and minimal competition in their activities.
Since 2009, North Korean-linked cybercriminals are estimated to have stolen around USD 7 billion (approximately AUD 10.15 billion) in cryptocurrencies. Notable incidents include USD 1.4 billion (around AUD 2.03 billion) siphoned from Bybit and USD 625 million (approximately AUD 906.25 million) from the Ronin Bridge.
Following the publication of these findings, the luckyguys.site domain was rendered inactive just a day later, suggesting a rapid response to the exposure of these illicit operations.
As investigations continue, the exposure of this payment system serves as a chilling reminder of the vast potential for cybercrimes driven by state-sponsored actors, raising urgent questions about the security of the cryptocurrency space.
This incident underscores the necessity for the global crypto community to bolster its security measures and scrutinise transactions more rigorously to detect and mitigate such illicit activities effectively.
In conclusion, the recent revelations on North Korea’s crypto activities highlight a significant challenge for regulators and industry players alike, indicating the need for enhanced vigilance in combatting cybersecurity threats and protecting economic integrity.
