ZachXBT: North Korean IT workers laundered $1M in crypto monthly

On-chain analyst ZachXBT has uncovered evidence suggesting North Korean IT personnel have been laundering an average of $1 million in cryptocurrency per month using forged identities and fraudulent documents. In a post on X, ZachXBT detailed his analysis of an internal payment server belonging to a North Korean IT organization, which contained over 390 accounts, chat logs, and transaction histories. The group reportedly used a private internal messenger, "luckyguys[.]site," to report deposits to their superiors. Since late November 2025 alone, more than $3.5 million was funneled through a specific payment wallet. The analysis identified three companies sanctioned by the U.S. Office of Foreign Assets Control (OFAC): Sobaeksu, Saenal, and Songgwang. Funds were either received as cryptocurrency through exchanges or transferred to Chinese bank accounts using financial solutions like Payoneer. ZachXBT noted that while this particular group may be less technically sophisticated than other hacking organizations, the findings support previous estimates that North Korean IT workers are generating millions of dollars in foreign currency each month.