North Korean agents infiltrate the global Crypto Assets development market, operating with over 30 exposed false identifications.

According to 【币界】 news, an investigation by a well-known Blockchain detective shows that North Korea has made extensive inroads into the global Crypto Assets development recruitment market. A source who wished to remain anonymous recently hacked into the device of a North Korean IT worker and provided unprecedented insights, revealing how a small team of five IT workers operates over 30 fake identifications.

North Korean agents flood the Crypto Assets recruitment market

According to the investigation, the North Korean team registered accounts on recruitment platforms using government-issued identification documents to obtain developer positions for multiple projects. Investigators found an export file of staff members' Google Drive, Chrome profiles, and screenshots, showing that Google products were central to organizing schedules, tasks, and budgets, with communication primarily conducted in English.

Among these documents, there is a spreadsheet from 2025 that contains weekly reports from team members, revealing their internal operations and mindset. Typical entries include statements such as "I don’t understand the work requirements, and I don’t know what I need to do" and self-guiding comments like "Solution/Fix: Put in enough effort with care."

Another spreadsheet tracked expenses, showing the costs of purchasing social security numbers, recruitment platform accounts, phone numbers, AI subscriptions, computer rentals, and VPN or proxy services. The meeting agenda and scripts for fake identities were also recovered, including an identity named "Henry Zhang".

The team's operational approach includes purchasing or leasing computers, using AnyDesk for remote work execution, and converting earned fiat currency into Crypto Assets via Payoneer. A wallet address associated with the organization is linked on-chain to a $680,000 exploit that occurred in June 2025 with Favrr, where the project's CTO and other developers were later identified as North Korean IT workers using fraudulent documents. Other personnel associated with North Korea were connected to the project through this address.

Signs that they come from North Korea include frequent use of Google Translate and conducting Korean searches from Russian IP addresses. Investigators say that these IT workers are not particularly skilled, but their persistence is aided by the large number of positions they target globally. Challenges in responding to these actions include poor cooperation between private companies and services, as well as team resistance when reporting fraudulent activities.

North Korea's ongoing threat

North Korean hackers, particularly the Lazarus Group, continue to pose a significant threat to the industry. In February 2025, the organization orchestrated the largest crypto assets exchange hack in history, stealing approximately $1.5 billion in Ethereum from a trading platform based in Dubai. The attack exploited vulnerabilities in third-party wallet providers, allowing hackers to bypass multi-signature security measures and transfer funds to multiple wallets. The FBI attributed the breach to North Korean agents and labeled it "TraderTraitor."

Subsequently, in July 2025, the Indian crypto assets exchange CoinDCX became a victim of a $44 million theft case, which was also linked to the Lazarus Group. The attackers infiltrated CoinDCX's liquidity infrastructure and exploited exposed internal credentials to carry out the theft.