ZachXBT Reveals North Korean Crypto Hackers’ Secret Infiltration Methods

ZachXBT published a series of documents stolen from North Korean crypto hackers. These documents detail precisely how infiltrators attack crypto startups and how to fight back.

Essentially, these hackers work in small teams to jointly operate dozens of fake personas, which then apply for IT jobs. Web3 startups’ own negligence and dismissive attitudes are these criminals’ greatest asset.

North Korean Crypto Secrets Exposed

Since earlier this year, North Korean hackers have developed a fearsome reputation in the crypto industry.

A dangerous new tactic involves infiltrating Web3 startups; this sophisticated practice has led to several notorious thefts this year. However, one crypto sleuth recently published a report detailing these operations:

1/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects.

— ZachXBT (@zachxbt) August 13, 2025

ZachXBT, a popular crypto investigator, pursues all sorts of Web3 criminals, yet North Korean hackers remain a special area of interest. He’s tracked everything from security breaches to money laundering, and has repeatedly warned of vast infiltration.

Today, however, ZachXBT is circulating valuable intel on how these groups work.

How Infiltrators Operate

Essentially, North Korean hackers split into five-man teams to impersonate crypto job seekers. These teams collectively acquire and operate upwards of 30 fake identities, purchasing government IDs, Upwork/LinkedIn accounts, VPNs, and more.

After doing this, they start applying for crypto jobs and looking for security flaws when they find employment. They vastly prefer IT roles, as this gives them ample chances to look for weaknesses and collaborate on the cover job’s workload.

North Korean Job Search Roster. Source:

These North Korean crypto scams are very sophisticated, but these documents show how to fight back. A few essential clues, like their choice of VPN, can expose a fake job applicant. Instead, the biggest problem is arrogance.

When cybersecurity investigators warn Web3 startups of potential infiltration, they might get a dismissive response:

“The main challenge faced in fighting [North Korean hackers] at companies includes the lack of collaboration. There’s also the negligence by the teams hiring them who become combative when alerted. [These hackers] are in no way sophisticated, but are persistent, since there’s so many flooding the job market globally for roles,” ZachXBT claimed.

These hackers never stay committed to one job, only lingering long enough to find a security exploit. Once they find one, groups like Lazarus employ a totally different unit to perpetrate the hack.

These methods encourage North Korean crypto hackers to maintain flimsy cover identities, hoping that lazy hiring practices indicate vulnerable security measures.

Web3 startups should be aware of North Korean hackers, not paralyzed by fear of them. A little diligence and caution can help keep any project safe from these infiltration attacks.