An on-chain investigation has revealed that North Korea IT workers posing as foreign developers have earned nearly $17 million from crypto startups and blockchain companies this year.
The findings, revealed by prominent blockchain investigator ZachXBT, show that these individuals have successfully integrated into dozens of crypto projects by concealing their identities and locations.
According to ZachXBT, these North Korean operatives filled around 345 roles and potentially up to 920 positions in the emerging industry this year alone.
The investigator noted that their monthly earnings for each role typically ranged between $3,000 and $8,000, bringing the estimated payout to around $2.76 million monthly.
USDC’s role
ZachXBT reported that many of these developers received payments through two main crypto wallets, many of which held balances in USDC, the second-largest stablecoin by market cap.
He also pointed out that funds were sent directly from Circle accounts in several cases, highlighting a serious vulnerability in the publicly listed firm’s compliance oversight.
Notably, one address had only one transaction sent from a wallet previously blacklisted by Tether and linked to known North Korean actor Hyon Sop Sim.
Considering this, ZachXBT stated:
“I think it’s misleading Circle markets themselves as the most compliant stablecoin that puts security first when they do not have proper channels to report illicit activity and do not engage in incident response during major exploits.”
Key trends uncovered
One key observation ZachXBT made is the misconception that US exchanges have stricter KYC/AML requirements compared to offshore platforms.
According to him, many of these ITWs are tied to US exchanges like Coinbase and Robinhood, while MEXC remains a popular platform for laundering funds.
He wrote:
“A few years ago Binance was widely used by ITWs but now it is rare due to improvements in detection and private industry collaboration that lead to seizures.”
Meanwhile, the blockchain investigator also noted that the rise of neobanks and fintech companies that integrate stablecoins has made it easier for DPRK ITWs to convert fiat into crypto, further complicating the issue.
Finally, ZachXBT warned that hiring multiple DPRK ITWs is often a strong indicator that a project will struggle.
According to him, these workers are usually hired due to their low cost, but their lack of sophistication and the teams’ negligence can lead to disastrous results for crypto startups.
How to identify North Korean IT Workers
Considering this, ZachXBT explained that the North Korean developers could be identified during hiring processes as they often exhibit suspicious behavior.
Some of the common red flags he identified include failed KYC attempts, refusal to meet colleagues in person, despite claiming to live nearby, and shared usage of VPNs with Russian IP addresses.
He also noted that these individuals refer one another to roles within the same project, alter their GitHub handles, and erase LinkedIn histories to avoid detection.
The investigation revealed that once inside a project, these workers often gain access to smart contracts and sensitive infrastructure. Their performance tends to be poor, leading to frequent terminations, but the damage is usually done by the time they’re let go.
He wrote:
“They typically take on multiple roles at once and frequently get fired due to underperformance so turnover is high. Once they infiltrate a team and take ownership of contracts your project becomes at risk of an incident.”
