Insights into North Korea’s Crypto Operations: A Leaked Payment Server Reveals Major Transactions
Recent revelations from crypto analyst ZachXBT have unveiled a substantial North Korean crypto payment operation. A leaked server has disclosed that since late November 2025, over US$3.5 million (approximately AU$5.08 million) was processed through nearly 390 accounts, which utilise forged identities. This equates to an average of about US$1 million (AU$1.45 million) per month in transactions.
The origins of this data trace back to a compromised device infected with infostealer malware, with the information provided by an unnamed source. The dataset includes critical documentation such as transaction records, traffic logs, fake identities, and internal communications highlighting the operational structure of the network.
Payment Processing Mechanisms
The platform in question, referred to internally as WebMsg and hosted on luckyguys.site, operated as a messaging service for payment reporting among North Korean IT operatives. Astonishingly, some accounts were found to be using the default password "123456," highlighting a potential lack of security awareness. User records include Korean names and coded labels that correlate to established North Korean operations.
Three entities involved in this network—Sobaeksu, Saenal, and Songkwang—are currently under sanctions by the U.S. Treasury. Payments are reportedly confirmed by a central admin account named PC-1234, which also provided login credentials for cryptocurrency exchanges and financial platforms.
The scheme entails IT workers securing remote development roles under false pretenses, reaping an estimated monthly income of US$1 million. The funds are primarily converted into fiat currency through transactions involving Chinese banking institutions and platforms like Payoneer.
Blockchain investigations link several wallet addresses to known North Korean clusters, including wallets that were subsequently frozen by Tether in December 2025.
Operational Patterns and Network Analysis
ZachXBT’s analysis identified 33 individuals operating within this North Korean-affiliated network during the period from December 2025 to February 2026. Records exhibited discussions around potential targets, including a GalaChain-developed game named Arcano, alongside the use of a Nigerian proxy to facilitate operations.
Moreover, the dataset indicates the distribution of 43 training modules on technical tools like Hex-Rays and IDA Pro, essential for software reverse engineering and exploit development, encompassing topics such as disassembly and debugging.
Notably, while appearing less sophisticated than elite North Korean units like Applejeus, the group represents an ongoing threat owing to the lower risk they encounter and the limited competition within the system. Since 2009, North Korean actors have orchestrated cyber thefts amounting to an estimated US$7 billion (AU$10.15 billion) in cryptocurrency, with prominent heists including US$1.4 billion from Bybit and US$625 million from the Ronin bridge.
Conclusion and Further Developments
The domain luckyguys.site ceased to operate promptly after these findings were made public, further suggesting the precarious nature of these operations. As the crypto landscape evolves, the cell’s operations reflect the persistent risks posed by state-sponsored hacking groups, necessitating heightened vigilance across crypto platforms and financial sectors.
For continual updates, keep an eye on emerging reports detailing wider trends within the cryptocurrency industry and associated security enhancements that stakeholders must consider in mitigating risks stemming from such illicit activities.
