Google Docs, Upwork, and LinkedIn: Inside North Korean IT Workers' Secret Crypto Operations

Investigations by popular blockchain sleuth ZachXBT have uncovered extensive North Korean infiltration in the global cryptocurrency development job market.

An unnamed source recently compromised a device belonging to a DPRK IT worker and provided unprecedented insight into how a small team of five IT workers operated over 30 fake identities.

DPRK Operatives Flood Crypto Job Market

According to ZachXBT’s tweets, the DPRK team reportedly used government-issued IDs to register accounts on Upwork and LinkedIn, to obtain developer roles on multiple projects. Investigators found an export of the workers’ Google Drive, Chrome profiles, and screenshots, which revealed that Google products were central to organizing schedules, tasks, and budgets, with communications primarily conducted in English.

Among the documents is a 2025 spreadsheet containing weekly reports from team members, which shed light on their internal operations and mindset. Typical entries included statements such as “I can’t understand the job requirement, and don’t know what I need to do,” with self-directed notes like “Solution / fix: Put enough efforts in heart.”

Another spreadsheet tracks expenses, showing purchases of Social Security numbers, Upwork and LinkedIn accounts, phone numbers, AI subscriptions, computer rentals, and VPN or proxy services. Meeting schedules and scripts for fake identities, including one under the name “Henry Zhang,” were also recovered.

The team’s operational methods reportedly involved purchasing or renting computers, using AnyDesk to perform work remotely, and converting earned fiat into cryptocurrency via Payoneer. One wallet address, 0x78e1, associated with the group is linked on-chain to a $680,000 exploit at Favrr in June 2025, where the project’s CTO and other developers were later identified as DPRK IT workers using fraudulent documents. Additional DPRK-linked workers were connected to projects via the 0x78e1 address.

Indicators of their North Korean origin include frequent use of Google Translate for Korean-language searches conducted from Russian IP addresses. ZachXBT said that these IT workers are not particularly sophisticated, but their persistence is bolstered by the sheer number of roles they target across the world.

Challenges in countering these operations include poor collaboration between private companies and services, as well as resistance from teams when fraudulent activity is reported.

North Korea’s Persistent Threat

North Korean hackers, notably the Lazarus Group, continue to pose a significant threat to the industry. In February 2025, the group orchestrated the largest crypto exchange hack in history, as it stole approximately $1.5 billion in Ethereum from Dubai-based Bybit.

The attack exploited vulnerabilities in a third-party wallet provider, Safe{Wallet}, which allowed the hackers to bypass multi-signature security measures and siphon funds into multiple wallets. The FBI attributed the breach to North Korean operatives, labeling it “TraderTraitor”.

Subsequently, in July 2025, CoinDCX, an Indian cryptocurrency exchange, fell victim to a $44 million heist, which was also linked to the Lazarus Group. The attackers infiltrated CoinDCX’s liquidity infrastructure, exploiting exposed internal credentials to execute the theft.