BlockBeats News, April 8th, on-chain sleuth ZachXBT revealed that an anonymous source shared data stolen from a North Korean internal payment server, covering 390 accounts, chat records, and cryptocurrency transaction information. This is a sophisticated fraud network with a monthly turnover of about $1 million, involving identity fraud, forged legal documents, and cryptocurrency-to-fiat conversion channels.

The internal payment platform of North Korean IT workers is similar to Discord, used for reporting to superiors and making payments. The website's default password, "123456," has not been changed for a long time. The user list includes roles, North Korean names, cities, and group codes, and involves three companies already sanctioned by OFAC: Sobaeksu, Saenal, and Songkwang. From the end of November 2025 to the present, the platform's payment wallets have received over $3.5 million in total. The payment pattern is fixed, with workers transferring cryptocurrency from exchanges or using platforms like Payoneer to transfer fiat through bank accounts. The admin, "PC-1234," provides account credentials after confirming receipt.

An organizational chart clearly shows the total payments for each user and group, as well as other activities and internal details of the gang, including the use of Astrill for cross-firewall tools, fake identity job applications, Slack discussions, and sharing reverse engineering training materials. Some chat records show North Korean IT workers discussing stealing project funds through Nigerian proxies, but it has not been confirmed whether this has been implemented.