Post

How to get URL link on X (Twitter) App

On the Twitter thread, click on or icon on the bottom
Click again on or Share Via icon
Click on Copy Link to Tweet
Paste it above and click "Unroll Thread"!
More info at Twitter Help

ZachXBT

@zachxbt

Jul 2 • 10 tweets • 6 min read • Read on X

Scrolly

1/ My recent investigation uncovered more than $16.58M in payments since January 1, 2025 or $2.76M per month has been sent to North Korean IT workers hired as developers at various projects & companies.

To put this in perspective payments range from $3K-8K per month meaning they have infiltrated 345 jobs on the low end or 920 jobs on the high end.

2/ Here’s a look into one of the six clusters I have been monitoring and was able to attribute 8 different DPRK ITWs that obtained roles at 12+ projects.

I traced out the payment addresses from the table to two consolidation addresses.

0x58225fed0714e5b9b235642eba7dae3714090a2d
0xa7f9555c34626eb81b64774356a40ca1a6a794ca

3/ Sandy Nguyen (@bullishgopher) a DPRK ITW from this cluster was spotted via OSINT next to the North Korea flag at an event in Russia.

A small group of people still believe North Korean devs are just a conspiracy despite all of the IOCs, research, etc widely available.

4/ Other indicators from this cluster after speaking with teams displayed immediate red flags.

>ITW refused to meet up irl with team member but claimed to live in same city
>Three ITWs referred each another for role at the same project
>Russian IPs for ITW supposedly from California
>Changing Github usernames / deleted LinkedIn
>payments for multiple ITWs flow to same address
>failed routine KYC check

5/ USDC was sent directly from Circle accounts to three addresses in this cluster.

It’s 1 hop from an address blacklisted by Tether in April 2023 tied to Hyon Sop Sim.

Other DPRK ITW clusters currently have decent sized quantities of USDC sitting.

I think it’s misleading Circle markets themselves as the most compliant stablecoin that puts security first when they do not have proper channels to report illicit activity and do not engage in incident response during major exploits.

6/ I am closely monitoring five other larger clusters of DPRK ITWs but will not share those addresses publicly since they are active.

One thing to note is the number does not include exploits conducted by them on projects (LND, ChainSaw, Favrr, Munchables, Dream, etc)

They typically take on multiple roles at once and frequently get fired due to under performance so turnover is high.

Once they infiltrate a team and take ownership of contracts your project becomes at risk of an incident.

7/ A few key trends I have observed:

A common misconception is that US exchanges have more rigorous KYC/AML requirements than offshore competitors.

DPRK ITWs have an increasing number of accounts tied to US exchanges like Coinbase or Robinhood

MEXC remains a popular choice by ITWs for laundering funds onchain.

A few years ago Binance was widely used by ITWs but now it is rare due to improvements in detection and private industry collaboration that lead to seizures.

8/ Another misconception is crypto projects have the most DPRK ITWs when in reality the issue is just as bad if not worse at traditional tech companies.

The downside of fiat is you cannot trace funds back to the company to alert them whereas when ITWs are paid with crypto it makes all activity onchain traceable.

The rise of neobanks/fintech with stablecoin integrations has allowed DPRK ITWs to easily on-ramp fiat -> crypto.

9/ I believe that when a team hires multiple DPRK ITWs it is a decent indicator for determining that startup will be a failure.

Unlike other threats to the industry DPRK ITWs have little sophistication so it’s mainly the result of a team’s own negligence.

I think the prevalence of them is due to being cheap and the lack of available talent as well as high valuations that resulted in incompetent founders who received funding.

Update: Sandy Nguyen changed his X username after my post from ‘bullishgopher’ to ‘dddxxxssseaeff’

X user ID: 1532495241038778387

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @zachxbt

ZachXBT

@zachxbt

Oct 19

1/ A video went viral on YT this week after a US based victim lost $3.05M (1.2M XRP) from their Ellipal wallet.

Here’s the tracing of where the stolen funds ended up and the biggest takeaways for similar thefts.

2/ Although the victim did not directly share the theft address after watching the video I found it by reviewing the date and amount.

r3cf5mgj5qEcj9n4Th28Es7NVRnXGJjkzc

The victim seems inexperienced and does not provide enough details to determine how the Ellipal wallet became compromised besides it being user error.

3/ The attacker created 120+ Ripple -> Tron orders via Bridgers on Oct 12, 2025.

On block explorers the transactions show as Binance since Bridgers (formerly SWFT) uses them for liquidity.

Read 9 tweets

ZachXBT

@zachxbt

Oct 15

1/ An investigation into how I identified one of suspects tied to the $28M Bittensor hack from 2024 by identifying anime NFT wash trades linked to a former employee and earned a whitehat bounty for my efforts.

2/ 32 $TAO holders experienced unauthorized transfers in excess of $28M from May to July 2024 and the Bittensor network was temporarily halted on July 2, 2024.

A post-mortem published by the team revealed the thefts were the result of a supply chain attack after a malicious PyPi package was uploaded in late May 2024

Victims who downloaded the package and performed specific operations accidentally compromised private keys.

3/ I began tracing the stolen funds from two initial theft addresses, TAO was bridged to Ethereum via Bittensor native bridge, and then transferred to instant exchanges where the attackers swapped to XMR.

Victims:
$400K: 5ENiTXL63DRMKytjaDRBLnorwd6qURKcCVgsgpu8UQxgptQN
$13M: 5DnXm2tBGAD57ySJv5SfpTfLcsQbSKKp6xZKFWABw3cYUgqg

Read 12 tweets

ZachXBT

@zachxbt

Aug 13

1/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects.

2/ An export of their Google Drive, Chrome profiles, and screenshots from their devices was obtained.

Google products were extensively used by them to organize their team’s schedules, tasks, and budgets with communications primarily in English.

3/ Another spreadsheet shows weekly reports for team members from 2025 which provides insight into how they operate and what they think about.

“I can't understand job requirement, and don't know what I need to do”

“Solution / fix: Put enough efforts in heart”

Read 11 tweets

ZachXBT

@zachxbt

Jul 22

1/ An investigation into how @cryptobeastreal scammed followers by lying they were not behind the $190M -> $3M $ALT market cap crash where 45+ connected insider wallets sold $11M+ on July 14, 2025.

2/ Earlier this month Crypto Beast began aggressively promoting $ALT on X and TG.

On July 14, 2025 ALT crashed from 0.19 to 0.003 after insiders sold a large percent of the total supply.

All of these posts promoting the token. have since been deleted.

3/ Crypto Beast previously shared a public wallet on X & TG in now deleted posts.

Ledzo5cdS1RYfX4h391fYC8TF6xkwAC8U77F2pCaH4L

Read 12 tweets

ZachXBT

@zachxbt

Jun 27

1/ Multiple projects tied to Pepe creator Matt Furie & ChainSaw as well as another project Favrr were exploited in the past week which resulted in ~$1M stolen

My analysis links both attacks to the same cluster of DPRK IT workers who were likely accidentally hired as developers.

2/ On Jun 18, 2025 at 4:25 am UTC ownership for ‘Replicandy’ from Matt Furie & ChainSaw was transferred to a new EOA 0x9Fca.

Jun 18, 2025
6:20 pm UTC: 0x9Fca withdrew mint proceeds from the contract
Jun 19, 2025
5:11 am UTC: 0x9Fca unpauses the mint

The attacker then minted NFTs and sold into bids causing the floor price to fall to zero.

3/ On Jun 23, 2025 the attacker transferred ownership from the ChainSaw deployer to 0x9Fca for Peplicator, Hedz, Zogz.

Similarly the attacker minted NFTs and sold them into bids causing the floor price to fall to zero.

0x9Fca3AC75cd66f3c62bea8231886513b9fe191BD

Read 12 tweets

ZachXBT

@zachxbt

Jun 23

1/ An investigation into how the New York based social engineering scammer Daytwo/PawsOnHips (Christian Nieves) stole $4M+ from Coinbase users by impersonating customer support, bought luxury goods, and lost most of the funds gambling at casinos.

https://twitter.com/bestvideosofct/status/1937120536846532672

2/ Daytwo operates a small call centre group and also works as a caller.

His group primarily coerced targets into setting up Coinbase wallet with a compromised seed on phishing sites.

Below is a video of his panel used and a sample of his voice when calling.

https://twitter.com/bestvideosofct/status/1937120536846532672

3/ In Nov 2024 $240K was stolen from an elderly victim with Daytwo’s worker Paranoia (Justin).

A private recording of the theft exists and was obtained (see part 1 below)

Theft address
bc1q35tw4f5qrfxrjy2v8g8d3majtujv28audm6yvp
AJU5yh4kDahLak4uq5n4ehJDVs2w2Lbhw9UHoseaBwV7