After reverse-hacking North Korean hacker devices, I saw their "working" mode

Author: ZachXBT

Compiled by: Azuma, Odaily Planet Daily

Editor's Note

North Korean hackers have long been a significant threat to the cryptocurrency market. In previous years, victims and industry security personnel could only speculate on the behavior patterns of North Korean hackers by reverse-engineering related security incidents. However, yesterday, well-known on-chain detective ZachXBT cited an analysis from a white-hat hacker who reverse-hacked North Korean hackers in his latest tweet, revealing for the first time the "work" methods of North Korean hackers from a proactive perspective, which may have certain positive implications for preemptive security measures in industry projects.

Below is the full text from ZachXBT, compiled by Odaily Planet Daily.

An anonymous hacker, who wishes to remain unnamed, recently hacked into the device of a North Korean IT worker, exposing the inner workings of a five-person technical team manipulating over 30 fake identities for their activities. This team not only holds government-issued fake identification documents but also infiltrates various development projects by purchasing Upwork/LinkedIn accounts.

Investigators obtained data from their Google Drive, Chrome browser profiles, and device screenshots. The data shows that the team heavily relies on Google tools to coordinate work schedules, task assignments, and budget management, with all communication conducted in English.

A weekly report from 2025 revealed the working patterns of this hacker team and the difficulties they encountered, for example, some members complained about "not understanding work requirements and not knowing what to do," while the corresponding solution section simply stated "put in effort and double down"……

Expense records indicate that their expenditures include purchases of Social Security Numbers (SSNs), transactions for Upwork and LinkedIn accounts, phone number rentals, AI service subscriptions, computer rentals, and VPN/proxy service procurements, among others.

One spreadsheet detailed the schedule and script for attending meetings under the fake identity "Henry Zhang." The operational process shows that these North Korean IT workers first purchase Upwork and LinkedIn accounts, rent computer equipment, and then complete outsourced work using AnyDesk remote control tools.

One of the wallet addresses they used for receiving and sending payments is: 0x78e1a4781d184e7ce6a124dd96e765e2bea96f2c;

This address is closely linked to the $680,000 Favrr protocol attack that occurred in June 2025, which was later confirmed to involve its CTO and other developers who were North Korean IT workers holding forged documents. Other North Korean IT personnel involved in infiltration projects were also identified through this address.

The team's search records and browser history also revealed the following key evidence.

Some may ask, "How can we confirm they are from North Korea?" In addition to all the fraudulent documents detailed above, their search history shows they frequently used Google Translate and translated into Korean using Russian IPs.

Currently, the main challenges for companies in preventing North Korean IT workers focus on the following aspects:

• Lack of systematic collaboration: There is a lack of effective information sharing and cooperation mechanisms between platform service providers and private enterprises;
• Oversight by employers: Hiring teams often exhibit a defensive attitude after receiving risk warnings, even refusing to cooperate with investigations;
• Quantity advantage impact: Although their technical means are not complex, they continue to infiltrate the global job market due to a large base of job seekers;
• Fund conversion channels: Payment platforms like Payoneer are frequently used to convert fiat income from development work into cryptocurrency;

I have previously introduced several indicators to watch out for, and those interested can refer to my historical tweets for more details, so I won't repeat them here.
Original link