PANews reported on August 16 that according to Cointelegraph, blockchain investigator ZachXBT said he had found evidence of a complex network of North Korean developers who earn up to $500,000 a month by working for "mature" crypto projects. ZachXBT said in an X post on August 15 that he believed "a single entity in Asia" was likely operating outside of North Korea, earning $300,000 to $500,000 a month and employing at least 21 employees to participate in more than 25 cryptocurrency projects.
ZachXBT said: "Recently, a team asked me for help because $1.3 million was stolen from the treasury after the malicious code was pushed." ZachXBT analyzed that the latest $1.3 million stolen by North Korean developers was laundered through a series of transactions, including transfers to a theft address and eventually ending up with 16.5 Ethereum. After further investigating these developers, ZachXBT believed that they were part of a wider network. He tracked multiple payment addresses and found that a group of developers "received $375,000 last month" and previous transactions totaling $5.5 million from July 2023 to some point in 2024, which flowed into a deposit address of an exchange. These payments were subsequently linked to North Korean IT workers and an individual, Sim Hyon Sop, who was sanctioned by the United States' Office of Foreign Assets Control (OFAC) for allegedly coordinating financial transfers that ultimately supported North Korea's weapons programs.
ZachXBT said his investigation found other payment addresses closely tied to another OFAC-sanctioned individual, Sang Man Kim, who has been linked to North Korea-related cybercrime in the past. ZachXBT also found that IPs of developers claiming to work in the United States and Malaysia overlapped with Russian telecom IPs. At least one employee "accidentally revealed their other identities on a notepad." Some of the developers he found were even arranged by recruitment companies, and in some cases, they would recommend jobs to each other.
