Password "123456" — Inside North Korea's $1M-a-Month Crypto Sweatshop

The platform operated as an internal IPMsg-style chat plus a payment-tracking dashboard. 140 network members had access. Roughly 33 workers operated under active fake identities at any one time. Workers received tasks, submitted invoices, and got paid in cryptocurrency — primarily USDT on TRON.

The financial flow processed approximately $3.5 million from late November 2025 through early April 2026. That is roughly $1 million per month. Workers were paid in the $3,000 to $8,000 range per month per identity, comparable to junior-to-mid software-engineering rates on Western remote-work platforms.

Account names visible in the leaked data correspond, in some cases, to OFAC-sanctioned shell entities Sobaeksu, Saenal, and Songkwang — entities designated by Treasury in 2023 and earlier waves for laundering DPRK-attributed crypto proceeds. The luckyguys.site platform was not an isolated criminal enterprise. It was the payment layer for a much larger operation that has been running for years.

ZachXBT's separate accounting puts the total DPRK IT-worker crypto payments at $16.58 million since January 1, 2025 (per his X post 1940388827392344261). That is a multi-month run rate of approximately $1 million, consistent with the luckyguys.site dataset.

The DPRK IT-worker scheme has been documented by US and Korean intelligence agencies, by Mandiant, by Microsoft Threat Intelligence, and by independent threat-research outfits for several years. The mechanics are well understood and unfortunately replicable.

A worker — typically based in Russia, China, Vietnam, Laos, or Pakistan — assumes a fake identity. The identity has a US, Canadian, European, or Japanese name; a fake LinkedIn profile; a synthetic GitHub history populated with forked or contributed-to public repositories; and, increasingly, an AI-generated voice and face for video interviews. Some operations use real US citizens as "front" identities, paying them a percentage to lend the documents.

The worker applies for remote engineering roles at crypto companies. Hiring managers who do not run rigorous background checks — and many do not — onboard the worker. The worker delivers technically competent work for months or years.

Two months ago, ZachXBT separately documented that ElementalDeFi, a Solana protocol, had a DPRK IT worker named "Keisuke Watanabe" (aliases kasky53, keisukew53, kdevdivvy, 0xWoo) on the payroll for years. The same individual was simultaneously CTO of Stabble, another Solana DEX, through 2025. When the connection was revealed, Stabble's liquidity providers withdrew emergency funds, dropping TVL from $1.75 million to under $663,000 in hours.

The pattern repeats: a crypto company employs a developer who is, unbeknownst to them, a DPRK operative. Salary is paid into a wallet that the operative does not personally control — it routes through a payment-network coordinator. The coordinator skims a margin, the rest gets converted via USDT TRC-20 and routed through OTC operators to Pyongyang.

On March 12, 2026, Treasury's Office of Foreign Assets Control published an enforcement action that named six individuals and two entities and added 21 cryptocurrency wallet addresses to the Specially Designated Nationals (SDN) List. The designations covered:

- **Nguyen Quang Viet**, CEO of Quangvietdnbg International Services in Vietnam. OFAC alleged Viet personally converted approximately $2.5 million into cryptocurrency for DPRK between mid-2023 and mid-2025. - **Do Phi Khanh, Hoang Van Nguyen, Yun Song Guk** (the DPRK IT-worker lead in Boten, Laos), **Hoang Minh Quang** (financial coordinator), and **York Louis Celestino Herrera**. - **Amnokgang Technology Development Company** (DPRK), connected to 7 addresses with $12M+ in flows. - **Quangvietdnbg International Services Company Limited** (Vietnam).

The action also re-designated **Sim Hyon Sop**, the China-based representative of Korea Kwangson Banking Corporation (KKBC), who had been on the SDN list since April 2023. The re-designation added 11 new Ethereum and TRON addresses to Sim's entry and — critically — flagged active links to Iran's Islamic Revolutionary Guard Corps (IRGC). This is the first publicly confirmed DPRK ↔ IRGC laundering overlap.

The 21 specific addresses include Amnokgang Ethereum wallets (0xcB74874f1e06Fcf80A306e06e5379A44B488bA2D among others), Amnokgang TRON wallets (TNrX2FwrHKoo4XACGkmSzqeK4pdnKYn6Z7 and others), Yun Song Guk Ethereum wallets, Hoang Minh Quang Bitcoin wallet `bc1qyy5pt5cx3zth8xlj92lq5y87dh8xv3nwgs4ncq`, and Sim Hyon Sop's new Ethereum and TRON wallets.

These addresses, in aggregate, are the payment endpoints for the luckyguys.site network. They are the receiving wallets that the IT-worker salary flows ultimately terminate at, after one to four hops through coordinator wallets and OTC desks.

Cross-referencing the luckyguys.site dataset against the March 12 SDN additions produces a complete two-step graph: workers' immediate paymaster wallets (visible in the luckyguys data) → OFAC-designated coordinator/laundromat wallets (visible in the SDN list) → ultimate beneficiary in Pyongyang.

For Sanctuary's purposes, this means any wallet that paid one of the luckyguys.site-tagged worker addresses since November 2025 has on-chain exposure to OFAC-designated entities. Sanctuary tags those payment-source wallets with `dprk_it_worker_payroll` and inherits the OFAC SDN flag at hop one.

The practical implication for crypto companies is direct. If your company has paid contractor invoices in USDT TRC-20 since mid-2025, run those payment addresses through a wallet-screening engine that has the luckyguys cluster labeled. Sanctuary's intelligence_flags include `dprk_it_worker_payroll_2025_2026` as a discrete category. Cross-checks against your payroll history will surface any address that overlaps the cluster.

Coinbase, Kraken, and Bitstamp run this kind of cross-check on incoming deposits as standard practice. Smaller exchanges and crypto-native employers often do not. If you are a 20-person crypto startup with three offshore contractors, you almost certainly do not. The cost of finding out one of your contractor wallets is now in the cluster is significant: under US law, payment to an OFAC-designated entity is a strict-liability violation. The defense "we didn't know" is not, in practice, a defense.

For freelancer marketplaces — Upwork, Toptal, Fiverr, Crypto Jobs List, and the on-chain platforms — the implications are larger. The leaked luckyguys data shows specific marketplace handles used by the network. Marketplaces that ingest the data and screen withdrawal addresses can identify accounts that participated. Most marketplaces have not.

The $1 million per month run rate from luckyguys.site is not the total DPRK IT-worker economy. It is one network's coordinator system. There are believed to be multiple parallel systems — luckyguys was simply the one that an operator accidentally exposed.

The State Department's MSMT (Multilateral Sanctions Monitoring Team) published an October 2025 report estimating that DPRK IT-worker schemes generated approximately $800 million in 2024 alone. The March 12, 2026 OFAC action referenced the same figure. If luckyguys.site is a representative sample, there are 65 to 80 networks of similar scale running in parallel.

DOJ has been filing criminal cases at a measured pace. Five DPRK IT-worker-related guilty pleas + $15 million in civil forfeitures landed in November 2025 and the months following. The "Prince" indictment in January 2026 charged co-conspirators with placing DPRK workers at 64 US companies, generating approximately $950,000 in salaries. A separate $7.7 million civil forfeiture for stolen IT-worker proceeds is pending.

The number that should worry crypto-company compliance officers is the per-worker run rate. $3,000-$8,000 per month per identity, scaled across 33 active identities in one network, scaled across an estimated 65-80 networks. The arithmetic gets to $200-$400 million per year in IT-worker payroll alone, before factoring in the larger DPRK hack proceeds ($577M YTD 2026 via Drift and KelpDAO).

For crypto company hiring managers in 2026: any remote-only contractor who refuses to do live video, refuses to come on camera in unscripted contexts, has a thin or recently-created social footprint, declines to do quick whiteboarding, or has unexplained gaps in availability is worth a second-look. The threat profile is not "hostile actor with sophisticated cover" — most luckyguys workers, per the leaked dataset, used commodity tooling, default passwords, and obvious operational mistakes. They succeed because hiring funnels in 2026 are remote, fast, and incentivise speed.

For finance / payroll teams: do not pay contractor invoices in cryptocurrency without screening the destination address. Sanctuary, Chainalysis Reactor, Elliptic Lens, and TRM Tactical can all generate a per-address risk score on demand. The marginal cost is negligible. The downside of a single OFAC violation can be a $10 million+ settlement and a deferred prosecution agreement.

For exchanges: screen withdrawal addresses against the OFAC March 12 designations. The 21 addresses are the floor; the cluster around them is larger. Sanctuary's `dprk_it_worker_payroll` tag covers the cluster at three to five hops outbound from each designated wallet.

The default password is "123456." The network behind it processed $1 million a month.

DPRK's edge in 2026 is not technical sophistication. It is scale and patience. The defense against scale is also scale — every crypto company, every freelancer marketplace, every payroll provider with crypto rails, needs the address cluster in its screening pipeline. Once it is in the pipeline, the next $200,000 you almost paid to "Keisuke Watanabe" gets stopped at the wire.

Screen the wallet. The password told you what you needed to know.