2/ An export of their Google Drive, Chrome profiles, and screenshots from their devices was obtained. Google products were extensively used by them to organize their team’s schedules, tasks, and budgets with communications primarily in English.

3/ Another spreadsheet shows weekly reports for team members from 2025 which provides insight into how they operate and what they think about. “I can't understand job requirement, and don't know what I need to do” “Solution / fix: Put enough efforts in heart”

4/ A spreadsheet for expenses shows them purchasing SSNs, Upwork/LinkedIn accounts, phone numbers, AI subscriptions, computer rentals and VPNs/proxies.

5/ Here is a spreadsheet that shows the meeting schedules for jobs and a script used for the fake identity ‘Henry Zhang’

6/ The DPRK ITWs would purchase Upwork & LinkedIn accounts, buy or rent a computer, and then use AnyDesk to conduct work.

7/ One of the wallet addresses used by them to send and receive multiple payments was 0x78e1a4781d184e7ce6a124dd96e765e2bea96f2c

8/ The 0x78e1 address is closely tied onchain to the recent $680K Favrr exploit from June 2025 where their CTO and other devs turned out to be DPRK ITWs with fraudulent documents. Additional DPRK ITWs were identified at projects from the 0x78e1 address.

9/ Other interesting items from their searches and browser history included:

10/ Still one of the more common questions is “how do you know they are North Korean?” Well besides all of the fraudulent documents detailed above their search history showed frequent Google Translate usage with translations to Korean with a Russian IP.

11/ The main challenge faced in fighting DPRK ITWs at companies include the lack of collaboration between services and the private sector. There’s also the negligence by the teams hiring them who become combative when alerted. ITWs are in no way sophisticated but are

@zachxbt Fuck. I hired Clark Pickles last week

@tecnico0x Cracked dev fr

@zachxbt North Korean scammers rn

@Friedrich__Wil Them reporting to their boss tomorrow after their activities were broadcasted across the entire internet:

@zachxbt Zach at it again

@Soch_Tweet 🤝

@zachxbt must say i found this fascinating. gg

@insomniac_ac ty

@zachxbt 😭😭

@0xeles rip

@zachxbt Kindly check dm please 🫠

@oxbuka No

@zachxbt quite dang impressive how sophisticated they operate. kinda ironic that they got themselves ratted tho

@Hauber_RBLX The best way to think of it is DPRK ITWs are essentially the people that were too incompetent to get recruited for their more well known hacking sub-groups (DangerousPW/Sapphire Sleet, TraderTraitor, AppleJeus, etc)

@zachxbt 不愧是被央视报道的大佬。🐮👍🏻

@dogewlfi Thank you

@zachxbt Sounds like a textbook DPRK IT ops playbook — small team, big reach, fake IDs, bought accounts, and quietly embedded in real dev projects.

@Web3Het Blocked for using AI for your reply

@zachxbt How many more teams like this are quietly operating right now?

@cryptofuture456 Their team is definitely newer / less experienced than others but it’s difficult to say