"The internal platform at the center of the investigation was luckyguys.site, also referred to internally as WebMsg. It functioned as a Discord-style messenger, allowing DPRK IT workers to report payments to their handlers."
"At least ten users had never changed the default password, which was set to 123456. The user list contained roles, Korean names, cities, and coded group names consistent with known DPRK IT worker operations."
"Payments were confirmed through a central admin account identified as PC-1234. ZachXBT shared direct message examples from a user nicknamed Rascal, which detailed transfers tied to fraudulent identities spanning December 2025 through April 2026."
An investigation by ZachXBT uncovered a North Korean IT worker payment server that processed over $3.5 million since late November 2025. The server, linked to luckyguys.site, was compromised by infostealer malware. Data included 390 accounts, chat logs, and transaction records. Notably, many users had not changed the default password '123456'. Three sanctioned entities appeared in the user list. The internal platform allowed DPRK IT workers to report payments, with a central admin account confirming the transactions. Payments were tied to fraudulent identities and forged documents.
Read at news.bitcoin.com
Unable to calculate read time
Collection
[
|
...
]