The crypto industry just discovered it has a North Korean problem that's bigger than anyone imagined. A bombshell investigation has revealed that DPRK IT workers have successfully infiltrated between 345 and 920 developer positions across various crypto projects and companies, earning an estimated $16.58 million since January 2025 alone.
That's $2.76 million per month flowing directly to North Korean operatives who've been hiding in plain sight as legitimate developers. The payments range from $3,000 to $8,000 per month per position, suggesting a sophisticated operation that's been running under the radar for months.
The Scope of Infiltration
The investigation, led by blockchain security researcher ZachXBT, uncovered a web of deception that spans multiple high-profile projects. "My recent investigation uncovered more than $16.58M in payments since January 1, 2025 or $2.76M per month has been sent to North Korean IT workers hired as developers at various projects & companies," ZachXBT revealed in his detailed analysis.
The math is staggering. With monthly payments ranging from $3,000 to $8,000 per worker, the investigation suggests these operatives have successfully secured anywhere from 345 jobs on the conservative end to 920 positions on the higher estimate. This isn't just a few bad actors—it's a systematic infiltration of the crypto development ecosystem.
Recent Exploits Linked to DPRK Workers
The investigation gets more alarming when you consider recent security breaches. Multiple projects tied to Pepe creator Matt Furie and ChainSaw, along with another project called Favrr, were exploited in the past week, resulting in approximately $1 million stolen. The analysis directly links both attacks to the same cluster of DPRK IT workers who were likely hired as legitimate developers.
"My analysis links both attacks to the same cluster of DPRK IT workers who were likely accidentally hired as developers," the researcher noted, highlighting how these operatives aren't just collecting paychecks—they're actively exploiting the systems they're supposed to be protecting.
The Broader Crime Supercycle
This revelation comes amid what security experts are calling a "crime supercycle" in crypto. The same investigation detailed how the industry has become increasingly vulnerable to various forms of exploitation, from social engineering scams to smart contract exploits.
"The crime supercycle is indeed very real," ZachXBT observed. "While it's true the industry has historically been ripe for abuse it has noticeably increased since politicians launched meme coins and numerous court cases were dropped further enabling the behavior."
The researcher estimates that the Black U market on Tron alone represents $5-10 billion in largely unattributed illicit activity. Laundering groups and small OTC brokers have seemingly won the battle against law enforcement, successfully laundering recent major hacks including Bybit, DMM Bitcoin, and WazirX "with ease."
Industry Response and Implications
The crypto community is grappling with the implications of this discovery. Projects that unknowingly hired North Korean IT workers now face the dual challenge of identifying compromised team members while assessing potential security vulnerabilities in their systems.
The investigation also raises questions about the hiring practices and due diligence processes used by crypto companies. With remote work becoming the norm and the global nature of the crypto industry, traditional vetting methods may be insufficient to prevent state-sponsored infiltration.
"A number of teams sit and watch collecting fees doing nothing when >50% of the activity for their protocol comes from stolen funds," the researcher noted, highlighting the complacency that has allowed such operations to flourish.
The Paradigm Partnership
In a related development, ZachXBT announced a partnership with Paradigm as an incident response advisor to assist their portfolio companies. "It was an easy decision as this gives me the freedom to continue helping the community and publishing investigations," he stated.
This partnership signals the industry's recognition that security threats have evolved beyond traditional cybersecurity measures to include sophisticated state-sponsored operations that require specialized expertise to detect and counter.
What This Means for Crypto
The North Korean IT worker infiltration represents a new category of threat that combines traditional espionage with modern cryptocurrency exploitation. Unlike external hacks or social engineering attacks, these threats come from within the development teams themselves.
Companies must now consider not just the technical skills of their developers, but also implement robust background checks and monitoring systems to detect potential bad actors. The $16.58 million already extracted since January suggests this problem will only grow if left unchecked.
As the crypto industry continues to mature, it faces an uncomfortable reality: the very decentralization and global accessibility that makes it innovative also makes it vulnerable to state-sponsored infiltration. The question now is whether the industry can adapt its security practices fast enough to counter these evolving threats.
