A leaked dataset shared by blockchain sleuth ZachXBT has opened an unusually detailed window into a North Korean IT operation that allegedly generated about $1 million a month by placing workers in remote technical roles under fabricated identities and then moving the proceeds through crypto and foreign payment rails. The significance of the leak lies not only in the scale of the alleged scheme, but in how clearly it maps the overlap between employment fraud, sanctions risk and digital-asset laundering.
The material, drawn from a compromised device and internal systems, reportedly includes transaction records, operational logs and coordination evidence that could prove valuable to sanctions investigators, compliance teams and employers. Investigators said the group used false personas and deepfakes to secure work at Western companies across roles including software engineering, full-stack development, quality assurance, data labeling, WordPress content work and remote IT support. What emerges is a labor-fraud model built with enough operational discipline to generate recurring revenue at scale.
A payroll fraud machine with crypto at its core
The leaked corpus was extensive. It reportedly contained 390 account records along with chat logs, browser histories, spreadsheets, invoices and cryptocurrency transaction histories. One reconstruction attributed more than $3.5 million in crypto receipts to the unit since late November 2025, while a separate investigative timeline suggested recurring inflows at an approximate pace of $1 million per month between 2022 and early 2024. Taken together, the records suggest a sustained commercial operation rather than a short-lived fraud ring.
1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.
I spent long hours going through all of it, none of which has ever been publicly released.
It revealed an intricate… pic.twitter.com/aTybOrwMHq
— ZachXBT (@zachxbt) April 8, 2026
According to investigators, internal coordination ran through a hub identified as luckyguys.site and through IPMsg, with a central administrative account labeled PC-1234 handling payment validation and credential distribution. The same materials indicated that operational control was concentrated, with credential reuse and a single administrative layer overseeing access and settlement decisions. That centralization may have made the network efficient, but it also made its internal structure more legible once exposed.
The monetization chain appears to have relied on a blend of crypto receipts and fiat conversion through Chinese bank accounts and payment platforms such as Payoneer. That combination added layering complexity and made the flow of funds harder to interpret through any single monitoring lens. The alleged scheme did not depend on crypto alone, but on the flexibility of moving between digital assets and conventional payment channels.
The leak is a warning for employers and compliance teams
The records also pointed to investment in internal capability building. The unit reportedly maintained a 43-module training curriculum focused on reverse engineering and exploitation tools, although outside analysts described it as less sophisticated than more advanced North Korean state-linked hacking groups. The operation appears to have relied less on elite tradecraft than on repetition, coordination and weak controls on the target side.
Several entities allegedly tied to the network, including Sobaeksu, Saenal and Songkwang, have previously been identified in sanctions actions. That connection raises the stakes well beyond payroll fraud. Employers, exchanges and payment platforms are not simply dealing with identity deception, but with the possibility that ordinary-looking contractor payments or crypto transfers may intersect with sanctioned networks. The compliance risk begins with hiring, but it does not end there.
The leak underscores the need for stronger remote-hiring verification, continuous identity validation for contractors and tighter internal access governance. For financial platforms, it highlights the importance of transaction monitoring calibrated to mixed crypto-fiat patterns and sanctions screening that goes beyond obvious counterparties. Small payroll-style receipts followed by periodic cash-out activity may no longer look operationally routine once viewed through this lens.
The broader lesson is that weak operational security on the illicit side does not reduce the danger to legitimate counterparties. In fact, a centralized and poorly secured scheme can still create significant downstream exposure if employers, fintechs and exchanges lack granular enough controls to detect it. This leak is not just evidence of one alleged network, but a template for the kinds of risks that remote work and borderless payments can conceal.