North Korea–backed cyber operatives are quietly embedding themselves within the cryptocurrency industry by securing legitimate IT roles at blockchain and crypto firms. On June 2, on-chain investigator ZachXBT revealed that since January 2025, North Korean-linked workers may have taken up between 345 and 920 jobs—earning over $16.58 million in total pay. His findings raise serious concerns over insider access, compliance failures, and escalating use of crypto infrastructure to evade sanctions.
Calculating the Scale of the Problem
ZachXBT’s inquiry followed the trail of roughly $16.58 million in crypto payments to wallets affiliated with North Korean IT operatives. From approximate monthly out-flow of $2.76 million, and the estimated salary of $3,000-$8,000 for each worker, indicates that there are least 345 workers—and potentially as many as 920. This level of infiltration indicates the concerted and well-resourced efforts to insert operatives into crypto ecosystems.
Spotting the Red Flags
Several indicators have triggered suspicion: employees using Russian IPs while claiming to live in the U.S., frequent GitHub handle changes, and repeated failures of Know Your Customer (KYC) and Anti Money Laundering (AML) checks . ZachXBT even linked one suspect—“Sandy Nguyen”—to a gathering of North Koreans in Russia via open-source intelligence. This convergence of anomalies highlights a pattern of deceptive hiring practices designed not just for income, but for strategic infiltration.
From Job to Exploit
The danger goes beyond payroll. Numerous cases show these hires playing active roles in breaches: some have introduced malicious code into smart contracts, others gained access to corporate systems to carry out rug pulls or hacks. For example, four North Korean operatives, acting as remote developers at U.S. and Serbian companies, stole nearly $915,000 in crypto, exploiting their internal access very brazenly. These actions fit into the overall DPRK strategy to generate revenue from cybercrimes.
Stablecoins: A Payment Vehicle
The use of Circle’s USDC stablecoin has come under notable scrutiny. ZachXBT claims many of the infiltrating workers received salaries in USDC—and that Circle has not effectively flagged or frozen suspicious accounts despite compliance obligations. Given stablecoins’ speed and legitimacy, this mode of payment offers an appealing channel for covert state-sponsored transactions.
U.S. Law Enforcement Responds
In response to this rising threat, U.S. officials executed a major crackdown on June 30. The DOJ and FBI investigations established that there has been a widespread remote worker scheme in which North Korean nationals stole identities in order to work remotely in over 100 U.S. companies – as a result, this syphoned off over $3 million dollars in damages, and over $900,000 in crypto thefts. In parallel, seizures included nearly 200 laptops, 29 domains, and financial accounts tied to the scheme.
Understanding the Broader Threat
These operations are part of a larger cybercrime apparatus. North Korea’s Lazarus Group has stolen more than $6 billion from crypto platforms around the globe in the last decade, including a $1.5 billion hack of Bybit in February 2025. The remote hiring scheme is a subset of these more significant thefts, providing a more stable source of income, and better access.
Recommendations for Crypto Firms
To respond to this risk, crypto companies must upgrade their due diligence practices. These actions include extensive IP and location checks, on chain payroll audits, high efficiency KYC/AML measures, and internal reviews for the employees who normally have special privilege. We must collaborate with regulators, stablecoin issuers, and law enforcement to identify and cut off this infiltration.
Conclusion
The revelation that North Korean cyber operatives, prop open the door for access to hundreds of crypto-industry jobs reveals delicate and ever-evolving state-backed forms of espionage. It’s an even more dangerous enemy when criminal intrusions are often described as ‘infiltration’ by on-chain analysts like ZachXBT. The crypto firms have a real dilemma on their hands: either bolster their own internal defenses or continue to be accomplices in their nation’s geopolitical cyber risks.
