ZachXBT: North Korean IT personnel exposed as operating 30+ fake identities, involved in $680,000 attack

According to ZachXBT, a source hacked into the devices of North Korean IT personnel and discovered that their small team obtained developer positions through more than 30 fake identities, used government IDs to purchase Upwork and LinkedIn accounts, and worked through AnyDesk. Relevant data includes Google Drive exports, Chrome profiles, and screenshots. The wallet address 0x78e1 is closely related to the $680,000 attack on the Favrr platform in June 2025, and more North Korean IT personnel were also identified. The team used Google products to schedule tasks, purchase SSNs, AI subscriptions, and VPNs. Some browsing records showed frequent use of Google Translate to translate Korean, and the IP address was from Russia. Neglect by recruiters and lack of collaboration between services have become the main challenges in combating such behavior.