TL;DR:
- ZachXBT exposed data from an alleged DPRK-linked internal payment server that processed roughly $1 million per month through crypto-based flows over late 2025 and early 2026.
- The leaked material reportedly included more than 390 accounts, chat logs, fake identities, and links to WebMsg, also known as luckyguys.site.
- Sanctioned names, frozen addresses, and weak internal security reportedly suggest the network was both operationally extensive and structurally vulnerable at the same time.
ZachXBT has exposed what appears to be one of the clearest internal looks yet at an alleged DPRK-linked IT worker payment pipeline, tracing roughly $1 million per month in crypto flows through a compromised internal server. The leaked records, drawn from data tied to a North Korean payment operation, point to a system that allegedly used fake identities, internal messaging, and crypto-to-fiat rails to move funds at scale. What makes the disclosure so unsettling is not only the money, but the industrial structure behind it. Instead of isolated fraud, the picture is of an organized revenue machine.
1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.
I spent long hours going through all of it, none of which has ever been publicly released.
It revealed an intricateā¦ pic.twitter.com/aTybOrwMHq
— ZachXBT (@zachxbt) April 8, 2026
Why the exposure matters beyond one payment server
The dataset reportedly covered more than 390 accounts, chat logs, transaction histories, browser activity, and fabricated identity material. It centers on an internal platform known as luckyguys.site, also referred to as WebMsg, where workers are said to have reported payments to handlers. Some users apparently never changed the default password, ā123456,ā an almost absurd weakness for an operation moving millions. The contradiction is hard to miss: a network sophisticated enough to scale internationally, yet held together in places by basic security. That mix of discipline and sloppiness gave investigators a map of how the structure functioned.
The records also appear to connect the infrastructure to sanctioned corporate names. Sobaeksu, Saenal, and Songkwang, all entities under U.S. Treasury sanctions, reportedly surfaced in the breached user list. ZachXBT also tied internal payment addresses to known DPRK IT worker clusters, including an Ethereum address and a Tron address that Tether froze in December 2025. That pushes the story beyond suspicious payroll activity and into a sanctions, compliance, and illicit-finance problem with clear international implications. The leaked material reportedly spans about $3.5 million in processed payments since late November 2025, giving the alleged network unusual operational visibility.
The deeper implication is that crypto payments remain a usable settlement layer wherever conventional channels are constrained, obscured, or politically risky. Here, that flexibility appears to have supported a labor and payment apparatus built on deception, fake credentials, and internal coordination. What this investigation ultimately reveals is not only a North Korea-linked revenue stream, but a scalable operational model for moving money through crypto under false identities. For the market, the lesson is uncomfortable: the same rails that make cross-border value transfer efficient can also make covert financial infrastructure remarkably durable.
