ZachXBT uncovers $16.58M in direct payments to North Korean IT workers

On-chain investigator ZachXBT intercepted payments made directly to North Korean IT workers. The payroll suggests more crypto projects are exposed to potential hacks from their own teams, or bugs and backdoors introduced to smart contracts.

A new investigation by ZachXBT showed significant payrolls still coming to IT workers uncovered as DPRK agents. The project teams have hired international IT workers, often under cover with fake profiles. Currently, a series of profiles are getting exposed for infiltrating blockchain, Web3 and DeFi projects. 

ZachXBT discovered $16.58M in payments since January 2025, pointing to hundreds of jobs in crypto projects. 

1/ My recent investigation uncovered more than $16.58M in payments since January 1, 2025 or $2.76M per month has been sent to North Korean IT workers hired as developers at various projects & companies.

To put this in perspective payments range from $3K-8K per month meaning… pic.twitter.com/pjHZG9wJ4r

— ZachXBT (@zachxbt) July 2, 2025

The intercepted addresses and payrolls suggest some of the IT workers have used disguised identities and fake locations. The recent unveiling of additional wallets and identities arrived after the US Department of Justice cracked down on a recent IT scheme targeting US companies.

The risks involve the theft of crypto, attacks against tokens, draining liquidity, in addition to exposing and stealing sensitive information. 

ZachXBT’s discoveries also follow recent doxxing of DPRK IT workers, who turned out to be highly active meme token creators or joined existing meme token teams. Other investigations involve attempts to present as civil engineers or even seek out roles as interior designers. The fake teams often use AI as a research tool and to disguise their identity.

North Korean IT teams were outed in voluntary investigations

For some, North Korean hackers in crypto teams are still a conspiracy theory. Most of the recent discoveries are linked to OSINT efforts and real-life tracking and doxxing. 

ZachXBT also adds wallet monitoring, often linking known IT workers with prominent social media profiles based on their wallet connections to known DPRK hacker wallet clusters. ZachXBT warned that North Korean IT workers are infiltrating traditional tech companies as well, but crypto projects often allow for easier tracking, especially if their payrolls are on-chain. 

For now, ZachXBT has not announced the names of crypto projects that were most affected by hackers. Previously, even established protocols like Waves have reported compromised smart contracts due to hiring unvetted IT workers. 

North Korean IT workers also  pose as crypto influencers

Earlier in June, investigators also pointed out several high-profile crypto influencers linked to older meme and NFT projects were also connected to suspicious wallet clusters. Some of the addresses observed by ZachXBT were also flagged as being connected to the Favvr NFT project.

DPRK hackers often do not stay long with projects, but their involvement is risky even with a short stint. DPRK hackers can have multiple roles in projects, including access to multi-sig wallets or other key responsibilities. Since crypto projects only perform audits months or years apart, some DeFi platforms, meme tokens, and other apps may hold hidden risks for exploits.

ZachXBT also notes that the hackers are mostly drawn to MEXC, as well as US-based exchanges including Robinhood and Coinbase. Binance, one of the widely used markets, is now unsuitable, as it has a track record of freezing funds and assisting authorities in intercepting suspicious accounts. The North Korean IT workers often resort to USDC, though trying to conceal the transactions as the stablecoin can be frozen.

Your crypto news deserves attention - KEY Difference Wire puts you on 250+ top sites