Revealing the Internal Operations of North Korean Hacker Teams

Recently, an anonymous white-hat Hacker successfully infiltrated the device of a North Korean IT worker, revealing the inside story of how a five-person technical team used over 30 fake identities for online activities. This team not only possessed forged official identification documents but also penetrated various development projects by purchasing accounts on online platforms.

Investigators obtained the team's cloud storage data, browser configuration files, and device screenshots. The data shows that the team heavily relies on a certain tech giant's office suite to coordinate work schedules, allocate tasks, and manage budgets, with all communication conducted in English.

A weekly report document from 2025 reveals the working patterns and challenges faced by the Hacker team. For example, some members complained that "they couldn't understand the work requirements and didn't know what to do," while the corresponding solution was surprisingly "to invest more effort and double down on hard work."

The team's expense details show that their spending items include purchasing a Social Security Number (SSN), online trading platform accounts, renting phone numbers, subscribing to AI services, leasing computers, and purchasing VPN/proxy services, etc.

A detailed spreadsheet recorded the schedule and script for attending the meeting under the false identity "Henry Zhang". The operation process shows that these North Korean IT workers first purchase online platform accounts, rent computer equipment, and then complete outsourced work through remote control tools.

The investigation also found a wallet address used by the team for receiving and sending funds, which has a close on-chain connection to the $680,000 protocol attack incident that occurred in June 2025. It was later confirmed that the CTO of the attacked project and other developers were North Korean IT workers holding forged documents. Through this address, other North Korean IT personnel in infiltrated projects were also identified.

A large amount of key evidence was found in the search records and browser history of the team members. Some may question how to confirm that they are from North Korea; in addition to the fraudulent documents mentioned above, their search history also shows frequent use of online translation services and the use of Russian IPs to translate content into Korean.

Currently, the main challenges that companies face in preventing North Korean IT workers include:

1. Lack of systematic collaboration: There is a lack of effective information sharing and cooperation mechanisms between platform service providers and private enterprises.
2. Employer negligence: The hiring team often exhibits a defensive attitude after receiving risk warnings and may even refuse to cooperate with the investigation.
3. Quantity advantage impact: Although its technical means are not complex, it continues to penetrate the global job market thanks to a large base of job seekers.
4. Fund conversion channels: Some payment platforms are frequently used to convert fiat income from development work into cryptocurrencies.

This investigation provides the industry with a rare opportunity to actively reveal the "working" methods of North Korean hackers, which is of significant importance for project parties to conduct preemptive security measures. Both enterprises and individuals should remain vigilant and enhance their ability to identify and prevent potential threats.