Exclusive: ZachXBT Exposes $16.58M Pipeline Funding North Korean IT Operatives

Blockchain sleuth ZachXBT rips the lid off a shadowy $16.58M operation—direct payments funneled to DPRK-linked tech workers. Who’s bankrolling Pyongyang’s digital army?

Follow the crypto trail

The investigator’s latest thread traces a money river flowing straight into the Hermit Kingdom’s coffers—no sanctions, no problem. When will compliance teams wake up?

Finance world shrugs (again)

Meanwhile, traditional institutions keep rubber-stamping ‘legitimate’ transactions worth billions to actual criminals. But sure—crypto’s the problem.

North Korean IT teams were outed in voluntary investigations

For some, North Korean hackers in crypto teams are still a conspiracy theory. Most of the recent discoveries are linked to OSINT efforts and real-life tracking and doxxing. 

ZachXBT also adds wallet monitoring, often linking known IT workers with prominent social media profiles based on their wallet connections to known DPRK hacker wallet clusters. ZachXBT warned that North Korean IT workers are infiltrating traditional tech companies as well, but crypto projects often allow for easier tracking, especially if their payrolls are on-chain. 

For now, ZachXBT has not announced the names of crypto projects that were most affected by hackers. Previously, even established protocols like WAVES have reported compromised smart contracts due to hiring unvetted IT workers. 

North Korean IT workers also  pose as crypto influencers

Earlier in June, investigators also pointed out several high-profile crypto influencers linked to older meme and nft projects were also connected to suspicious wallet clusters. Some of the addresses observed by ZachXBT were also flagged as being connected to the Favvr NFT project.

DPRK hackers often do not stay long with projects, but their involvement is risky even with a short stint. DPRK hackers can have multiple roles in projects, including access to multi-sig wallets or other key responsibilities. Since crypto projects only perform audits months or years apart, some DeFi platforms, meme tokens, and other apps may hold hidden risks for exploits.

ZachXBT also notes that the hackers are mostly drawn to MEXC, as well as US-based exchanges including Robinhood and Coinbase. Binance, one of the widely used markets, is now unsuitable, as it has a track record of freezing funds and assisting authorities in intercepting suspicious accounts. The North Korean IT workers often resort to USDC, though trying to conceal the transactions as the stablecoin can be frozen.

Your crypto news deserves attention - KEY Difference Wire puts you on 250+ top sites