ZachXBT: After reversing and hacking into North Korean hacker equipment, I understood their "work" mode.

Author: ZachXBT

Compiled by: Azuma, Planet Daily

Editor’s note: North Korean hackers have long been a significant threat to the cryptocurrency market. In the past, victims and industry security personnel could only infer the behavior patterns of North Korean hackers by reverse engineering related security incidents. However, yesterday, the well-known on-chain detective ZachXBT cited an analysis from a white-hat hacker who reverse-hacked North Korean hackers in his latest tweet, revealing for the first time the "work" methods of North Korean hackers from a proactive perspective, which may have some positive significance for preemptive security measures in industry projects.

The following is the full content of ZachXBT, translated by Odaily Planet Daily.

An unnamed anonymous hacker has recently breached the device of a North Korean IT worker, revealing insider information on how a five-person technical team manipulates over 30 fake identities to operate. This team not only holds government-issued fraudulent identification documents but also infiltrates various development projects by purchasing Upwork/LinkedIn accounts.

Investigators obtained data from its Google Drive, Chrome browser profile, and device screenshots. The data shows that the team heavily relies on Google suite tools to coordinate work schedules, task assignments, and budget management, with all communication conducted in English.

A weekly report document from 2025 revealed the working patterns of the hacker team and the difficulties they encountered during this period, such as a member complaining that "I cannot understand the work requirements and don't know what to do," while the corresponding solution section surprisingly stated, "Put in effort and work harder"...

The expenditure details show that their expenses include purchases of Social Security Numbers (SSN), transactions of Upwork and LinkedIn accounts, phone number rentals, AI service subscriptions, computer rentals, and VPN/proxy service procurement, among others.

One of the spreadsheets details the schedule and script for attending the meeting under the fake identity "Henry Zhang." The operating process shows that these North Korean IT workers first purchase Upwork and LinkedIn accounts, rent computer equipment, and then complete outsourced work using the AnyDesk remote control tool.

One of the wallet addresses they use for sending and receiving payments is:

0x78e1a4781d184e7ce6a124dd96e765e2bea96f2c;

This address has a close on-chain connection to the $680,000 Favrr protocol attack incident that occurred in June 2025, which was later confirmed to involve its CTO and other developers who were North Korean IT workers holding forged documents. Other North Korean IT personnel involved in infiltration projects were also identified through this address.

The following key evidence was also found in the team's search records and browser history.

Some may ask, "How to confirm they are from North Korea"? In addition to all the fraudulent documents detailed above, their search history also shows that they frequently use Google Translate and use Russian IPs to translate into Korean.

Currently, the main challenges for enterprises in preventing North Korean IT workers focus on the following aspects:

• Lack of systematic collaboration: There is a lack of effective information sharing and cooperation mechanisms between platform service providers and private enterprises;
• Employer negligence: The hiring team often exhibits a defensive attitude after receiving a risk warning, and may even refuse to cooperate with the investigation;
• Quantity advantage impact: Although its technical means are not complex, it continues to penetrate the global job market with a large base of job seekers;
• Fund conversion channels: Payment platforms such as Payoneer are frequently used to convert fiat income earned from development work into cryptocurrencies;

I have introduced the indicators that need attention multiple times. If you are interested, you can look through my historical tweets, so I won't repeat them here.