A North Korean hacker working as part of a massive IT fraud scheme accidentally ran malware on his own computer. The virus began taking screenshots of his desktop, which later fell into the hands of a famous internet detective.
A North Korean hacker working as part of a massive IT fraud scheme accidentally ran malware on his own computer. The virus began taking screenshots of his desktop, which later fell into the hands of a famous internet detective.
It is not known for certain how the info-stealer virus got onto the hacker's computer, but the stolen data appears to have completely declassified the operation linked to North Korea. The leak exposed hundreds of accounts, internal chats, browser history, fake personal data and records of crypto payments worth millions of dollars, writes Cybernews.
Independent internet detective ZachXBT, known for exposing several high-profile hacking cases through his OSINT investigations, said he learned about this strange scenario earlier this week when he received a copy of the leaked data.
“An anonymous source recently shared data stolen from an internal North Korean payment server containing information on 390 accounts, chat logs, and crypto transactions,” ZachXBT wrote in a series of posts on X.
After spending hours poring over this previously unseen data, the detective said he uncovered the intricate details of a $1 million-a-month hacking scheme that involved “fictitious identities, forged legal documents, and the conversion of cryptocurrency into fiat money.”
Among the most absurd details, ZachXBT said, was that employees coordinated payments on a site called “luckyguys[.]site,” using the shared password “123456.” That’s an incredibly lax level of security for an operation that he estimated was generating around seven figures a month.
Moreover, the password "123456" was shared by ten users, which allowed the declassification of "roles, Korean names, cities, and coded group names typical of the activities of North Korean IT workers," the researcher noted.
ZachXBT described the WebMsg platform hosted on the “luckyguys” website as essentially “a Discord-style messenger that North Korean IT people used to report received payments to their handlers.
Among the most interesting finds:
Correspondence between user "Rascal" and administrator PC-1234 on the WebMsg messenger. They detail payment transfers and the use of fake identities between December 2025 and April 2026.
All payments were processed and confirmed through the server administrator account: PC-1234.
Addresses in Hong Kong that were used to pay for bills and goods (this information requires further verification).
Records of receiving over $3.5 million to a single crypto wallet address, starting in late November 2025.
Connection to three companies under OFAC (Office of Foreign Assets Control) sanctions: Sobaeksu, Saenal, and Songkwang.
Emails indicating that over a dozen fake characters were applying for jobs through the Indeed platform.
33 individual IT workers from the DPRK who communicated internally and used Astrill VPN to mask their location.
According to ZachXBT, thanks to the information he received, he was able to create a complete map of the organizational structure of this criminal network, including the amounts of payments for each user and group. The password to access the infrastructure map is, of course, "123456."
The researcher noted that in addition to confirming the already known methods of operation of North Korean IT fraudsters, the payment lifecycle for curators also turned out to be identical in all cases.
The process begins with the scammer transferring cryptocurrency to a payment processor known as PC-1234. ZachXBT reported that these funds came from a variety of sources: crypto exchanges, specialized services, or by converting cryptocurrency to fiat through Chinese bank accounts using international payment platforms such as Payoneer.
One indication that investigators were already tracking the payment activity of this DPRK cluster was the freezing of a Tron address associated with the network by Tether in December 2025. Once PC-1234 confirms receipt of funds, it provides the user with credentials (logins/passwords). Depending on the specific scammer, this could be for a crypto exchange or other fintech platform.
Commenting on this epic hack, malware repository vx-underground noted on X (Twitter): "This is the second time a North Korean state-run group has exposed its infrastructure and operations by accidentally activating a virus on its own computers."
“Dude, who the hell is running this?” they asked comically. ZachXBT added that after his exposure, the network’s internal website went down on April 9, but he had already archived all the data and planned to continue studying it.
