ZachXBT Full Text: After counter-hacking North Korean hacker tools, I understood their "work" model.

Famous on-chain detective ZachXBT cited an investigation by white hat hackers, revealing how a five-member North Korean hacking team manipulated fake identities to infiltrate development projects. This article delves into their working patterns, expenditure details, and fund flows, providing key insights to prevent such threats. The article is based on a piece written by ZachXBT and organized, compiled, and authored by Azuma, Odaily. (Background: Microsoft and the FBI join forces to combat North Korean hacker fraud! Frozen 3,000 accounts, capturing American 'collaborators') (Background Supplement: BitoPro was hacked and the investigation found it was the North Korean Lazarus! Social engineering attack stole 11.5 million dollars) North Korean hackers have always been a significant threat in the crypto assets market. In previous years, victims and industry security workers could only speculate on the behavior patterns of North Korean hackers through past related security incidents. However, yesterday, the well-known on-chain detective ZachXBT cited an analysis from a white hat hacker countering North Korean hackers in his latest tweet, revealing for the first time the 'working' methods of North Korean hackers from a proactive perspective, which may have certain positive implications for preemptive security deployment in industry projects. Below is the full text from ZachXBT, translated by Odaily. An anonymous hacker, who wished to remain unnamed, recently hacked into the device of a North Korean IT worker, exposing the inner workings of a five-member technical team manipulating over 30 fake identities to carry out activities. This team not only held government-issued fake identification documents but also infiltrated various development projects by purchasing Upwork/LinkedIn accounts. Investigators obtained their Google Drive data, Chrome browser profiles, and device screenshots. The data shows that the team heavily relied on Google tools to coordinate work schedules, task assignments, and budget management, with all communication conducted in English. A weekly report document from within 2025 revealed the work patterns of this hacking team and the difficulties they encountered during this period, such as a member complaining, 'I cannot understand the work requirements and do not know what to do,' and the corresponding solution field surprisingly filled with 'Put in effort, work harder'... The expenditure details recorded indicate that their expenses included the purchase of Social Security Number (, Upwork and LinkedIn account transactions, phone number rentals, AI service subscriptions, computer rentals, and VPN/proxy service procurements, among others. One electronic spreadsheet detailed the schedule and script for attending meetings under the fake identity 'Henry Zhang.' The operation process indicated that these North Korean IT workers would first purchase Upwork and LinkedIn accounts, rent computer equipment, and subsequently complete outsourced work through the AnyDesk remote control tool. One of the wallet addresses they used for sending and receiving funds was: 0x78e1a4781d184e7ce6a124dd96e765e2bea96f2c; this address is closely linked to the $680,000 Favrr protocol attack that occurred in June 2025, and it was later confirmed that their CTO and other developers were North Korean IT workers holding counterfeit documents. Other North Korean IT personnel involved in infiltration projects were also identified through this address. Key evidence was also found in the team's search records and browser history. Some may wonder, 'How can we confirm they are from North Korea?' In addition to all the fraudulent documents detailed above, their search history also showed frequent use of Google Translate, translating into Korean using Russian IPs. Currently, enterprises face primary challenges in preventing North Korean IT workers in the following areas: Systematic collaboration deficiencies: Lack of effective information sharing and cooperation mechanisms between platform service providers and private enterprises; Employer oversight: Hiring teams often display a defensive attitude after receiving risk alerts, even refusing to cooperate with investigations; Numerical advantage impact: Although their technical means are not complex, they continuously infiltrate the global job market with a large pool of job seekers; Fund conversion channels: Payment platforms like Payoneer are frequently used to convert fiat income from development work into crypto assets; I have previously introduced several indicators to watch out for, and interested readers can refer to my historical tweets, so I will not repeat them here. Related reports: Google Cloud warns: North Korean IT espionage attacks are expanding, global enterprises should be vigilant. Global internet penetration rate lowest: Why are North Korean hackers Lazarus so strong? Frequently breaking through major corporate security nets, Lazarus becomes Kim Jong-un's profit-making machine for nuclear weapons development. North Korea's Bitcoin reserves increased by 13,000 coins, becoming the third-largest holder, second only to the US and the UK. How do hackers Lazarus impact the global crypto arms race? <ZachXBT Full Text: After countering North Korean hacker equipment, I understood their 'working' model> This article was first published in BlockTempo, the most influential blockchain news media.