North Korean IT Workers Infiltrated 920 Crypto Jobs: $16.58M Secretly Funneled to DPRK
A new investigation has exposed the staggering scope of North Korean infiltration into the cryptocurrency industry, revealing that DPRK IT workers have successfully embedded themselves in hundreds of legitimate crypto jobs while secretly funneling millions back to North Korea.
The investigation, published by blockchain security researcher ZachXBT, uncovered more than $16.58 million in payments since January 1, 2025—equivalent to $2.76 million per month—flowing directly to North Korean IT workers hired as developers at various crypto projects and companies.
The Scale of Infiltration
The numbers paint a disturbing picture of systematic infiltration. With payments ranging from $3,000 to $8,000 per month per worker, the data suggests North Korean operatives have infiltrated between 345 and 920 jobs across the crypto industry.
"To put this in perspective, payments range from $3K-8K per month meaning they have infiltrated 345 jobs on the low end or 920 jobs on the high end," ZachXBT explained in his detailed analysis.
This revelation comes as the crypto industry grapples with what researchers are calling a "crime supercycle"—a period of unprecedented illicit activity enabled by regulatory gaps and enforcement challenges.
Recent Exploits Linked to DPRK Workers
The investigation directly connects several high-profile exploits to these embedded North Korean workers. Multiple projects tied to Pepe creator Matt Furie and ChainSaw, along with another project called Favrr, were exploited in the past week, resulting in approximately $1 million stolen.
ZachXBT's analysis links both attacks to the same cluster of DPRK IT workers who were "likely accidentally hired as developers." The sophisticated nature of these operations suggests a coordinated effort by North Korean state actors to both generate revenue and conduct cyber operations from within legitimate crypto companies.
The Broader Crime Ecosystem
The North Korean infiltration is part of a larger criminal ecosystem that has seen explosive growth in 2025. The researcher notes that "the crime supercycle is indeed very real," pointing to several factors that have emboldened bad actors:
Politicians launching meme coins have normalized questionable behavior, while numerous court cases being dropped have further enabled criminal activity. Laundering groups and small OTC brokers have "seemingly won the battle for Lazarus Group" after successfully laundering recent major hacks including Bybit, DMM Bitcoin, and WazirX.
Perhaps most concerning is the researcher's estimate that "the Black U market on Tron is no less than $5-10B and largely unattributed."
Industry Response and Implications
The revelation has sent shockwaves through the crypto industry, with many questioning how such extensive infiltration could occur undetected. The sophistication of the operation suggests these workers likely underwent extensive training to appear as legitimate developers while maintaining their covert activities.
For crypto companies, this presents an immediate security challenge. The investigation suggests that standard hiring practices may be insufficient to detect state-sponsored operatives who have been specifically trained to blend in with legitimate development teams.
What This Means for Crypto Security
The $16.58 million figure represents just the tip of the iceberg. With North Korean operatives potentially embedded in nearly 1,000 crypto-related positions, the total impact on the industry could be far greater than initially estimated.
The investigation also highlights the evolving nature of state-sponsored cyber operations. Rather than relying solely on external attacks, North Korea appears to have adopted a strategy of infiltrating the industry from within, allowing for more sophisticated and targeted operations.
As the crypto industry continues to mature and attract institutional investment, the presence of state-sponsored operatives within legitimate companies poses significant risks to both individual projects and the broader ecosystem's credibility.
The investigation serves as a stark reminder that the crypto industry's rapid growth has created new vulnerabilities that sophisticated adversaries are actively exploiting. With $16.58 million already identified in just two months of 2025, the full scope of North Korean infiltration may be far more extensive than anyone previously imagined.
