EddieJayonCrypto

 13 Aug 25

tl;dr

Blockchain investigator ZachXBT uncovered a North Korean operation infiltrating Western tech companies through fake identities in remote developer roles. A device from one of five DPRK workers revealed use of forged social security numbers, fake accounts on Upwork and LinkedIn, rented computers, and...

Blockchain investigator ZachXBT uncovered a sophisticated operation run by North Korean IT workers infiltrating Western tech companies through remote development roles. An unnamed source provided access to a device from one of five DPRK workers, revealing their extensive use of fake social security numbers, Upwork and LinkedIn accounts, phone numbers, and rented computers to secure developer jobs.

The team coordinated their work using Google products, organizing schedules, tasks, and budgets while primarily communicating in English. Weekly reports from 2025 showed struggles with job requirements, highlighting challenges despite persistent efforts.

The DPRK workers employed a consistent operational method: purchasing fake accounts, renting devices, and using AnyDesk for remote access. Their expenses included AI subscriptions, VPNs, and proxies to maintain fake identities. Detailed personas and work histories were created for each fake identity, with payment channels linked through a specific wallet address tied to multiple fraudulent activities.

One major incident linked to the group was the $680,000 Favrr exploit in June 2025, where the company’s CTO and other developers were revealed as DPRK workers using fraudulent credentials. The CTO, known as “Alex Hong,” exhibited suspicious traits such as deleted LinkedIn profiles and unverifiable history.

Despite sophisticated fronts, compromised devices showed frequent use of Google Translate with Korean translations and operation via Russian IP addresses, confirming North Korean origins. ZachXBT pointed out difficulties in addressing this issue due to poor collaboration between service providers and private companies, alongside defensive hiring teams reluctant to accept infiltration warnings.

The workers convert earnings into cryptocurrency via Payoneer, operating with persistence rather than sophistication, flooding the global job market for remote development roles. This exposure highlights the extensive scale of North Korean infiltration within Western technology firms, with this team being only one of potentially hundreds executing similar schemes across remote platforms.

Disclaimer

The opinions expressed by the writers at Grow My Bag are their own and do not reflect the official stance of Grow My Bag. The content provided on our site is not intended as investment advice, and Grow My Bag is not an investment advisor. We do not endorse buying or selling any cryptocurrencies or digital assets mentioned in our articles. High-risk investments in Bitcoin, cryptocurrencies, and digital assets require thorough due diligence, and all transfers and trades made are at your own risk. Grow My Bag is not responsible for any potential losses and participates in affiliate marketing.
 29 Aug 25
 29 Aug 25
 29 Aug 25