Leaked Device Reveals North Korea's Crypto Freelance Trick

The findings come from a hacked device belonging to one of the group’s members.

Screenshots from the compromised system exposed six individuals, believed to be connected to a $680,000 exploit in June, coordinated their operations using familiar tools and rented equipment.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

What is a Cryptocurrency: For Beginners (Animated Explainer)

SUBSCRIBE

ON YOUTUBE

The group created and managed over 30 false identities, complete with forged documents and paid accounts on LinkedIn and UpWork. These profiles were then used to apply for remote jobs in the blockchain industry.

One member was found to have gone through an interview process for a developer role at Polygon MATIC $0.2515 Labs, while others submitted applications claiming to have worked at platforms like OpenSea and Chainlink LINK $23.63 .

Once hired, the team relied on remote access software such as AnyDesk and used VPNs to hide their actual locations. Their daily workflow was organized through Google’s ecosystem, including Drive, Chrome profiles, and calendar tools, often supported by Google Translate to assist with English communication.

Payments for their services typically flowed through Payoneer and were later converted into crypto. One wallet address, labeled "0x78e1a", was directly linked to the June hack of the fan-token platform Favrr.

Other insights from the leaked device include simple technical searches, such as whether ERC-20 tokens can operate on Solana SOL $204.26 , and queries like identifying top artificial intelligence (AI) developers in Europe.

Recently, Meta deleted over 6.8 million WhatsApp accounts linked to scam groups running crypto fraud schemes. How do these scam groups operate? Read the full story.