According to information released by ZachXBT
This group of North Korean IT laborers possesses over 30 false identities, and even holds government-issued identification documents. They have purchased Upwork and LinkedIn accounts to obtain remote development jobs. Their Google Drive, Chrome profiles, and device screenshots indicate that the team uses Google tools to schedule appointments, allocate tasks, and manage budgets, with English as the primary communication language.
The internal weekly report documents from 2025 further reveal the team’s operational status
The content even includes members stating that they “cannot understand work requirements” while encouraging themselves to “fully commit.” Expenditure records show that they have purchased U.S. Social Security Numbers (SSN), phone numbers, AI subscription services, computer rentals, and VPN/proxy services to support their false identity operations.
ZachXBT points out
The team first purchases or rents computers, then completes work remotely via AnyDesk. Additionally, one of the cryptocurrency wallet addresses they use, 0x78e1a4781d184e7ce6a124dd96e765e2bea96f2c, is highly correlated with the $680,000 vulnerability case on the Favrr platform in June 2025, where the CTO and several developers have been confirmed to be North Korean IT laborers holding false documents.
Moreover, this address is also linked to more North Korean IT laborers involved in other projects
Browsing records show that they frequently use Google Translate to translate content into Korean and access the internet through Russian IPs, further corroborating their identity backgrounds.
ZachXBT believes that one of the challenges in combating North Korean IT laborers
Is the lack of collaboration between service providers and the private sector, along with the passive or even resistant attitudes of some hiring entities after receiving warnings. He notes that while the skills of these IT laborers are not particularly advanced, their large numbers and penetration into the global developer market still pose a significant threat. It is also worth noting that they frequently use Payoneer to convert fiat income into cryptocurrency.