DPRK IT jobs used weak passwords to steal $3.5M in crypto

Published: 2026-04-09 03:28:37 |

A leaked dataset reviewed by Cointelegraph alleges a DPRK IT jobs unit operated as developers while also attempting to hack crypto projects. The documents, shared by blockchain sleuth ZachXBT, claim one worker known as “Jerry,” with a 140-person team, generated about $1 million per month and roughly $3.5 million in crypto since late November. The DPRK IT jobs group coordinated payments through a website (“luckyguys.site”) and used the easy password “123456.” ZachXBT says some platform users appeared tied to entities sanctioned by the US Office of Foreign Assets Control, including “Sobaeksu,” “Saenal,” and “Songkwang.” Funds moved from crypto wallets to fiat via online payment platforms such as Payoneer, then to Chinese bank accounts. Wallet tracing also reportedly linked these activities to North Korean wallets blacklisted by Tether in December. Screenshots cited by ZachXBT show “Jerry” used an Astrill VPN to access Gmail and submitted job applications on Indeed for full-stack developer and software engineer roles. Other falsified identification materials are also described, including fake addresses and an Irish passport image. The article frames this as part of a broader pattern: North Korea-linked actors have stolen more than $7 billion since 2009, including the Bybit hack ($1.4B) and the Ronin bridge hack ($625M), plus blame for a Drift Protocol hack ($280M). The report notes these DPRK IT jobs actors may be less efficient than groups like “AppleJeus” and “TraderTraitor,” but still pose ongoing cyber risk to the crypto industry.

Bearish

This news is negative for trading sentiment because it reinforces that DPRK IT jobs can operationalize cybercrime at scale—using weak shared credentials, payment-routing services, and wallet linkages to known blacklisted funds. Higher perceived attack probability typically raises risk premiums for exchanges, bridges, and on-chain counterparties. In the short term, traders may expect increased security headlines that can pressure liquidity and trigger defensive positioning (especially for custodial services and platforms frequently targeted). In the long term, recurring north-Korea-linked theft cases (Bybit, Ronin, Drift) tend to support sustained regulatory scrutiny and compliance-driven costs, which can affect valuations of high-risk segments. While the report includes job-application and identity-fraud details, the market-relevant takeaway is operational capability and funding flow patterns. Similar past incident cycles have often led to temporary volatility around affected ecosystems, even when direct token fundamentals remain unchanged.