North Korean IT Worker’s ‘123456’ Password Exposes $1M Money‑Laundering Backend

Underground Financial Network: 11‑Step Evidence Record

Step 1 – Data Source and Scale

Evidence: ZachXBT obtained an anonymous data dump containing 390 internal accounts, chat logs, and transaction flows.

The leak represents a "nuclear‑level" breach with monthly cash flow of one million USD, involving forged documents and laundering routes.

Step 2 – Entry Point: Infostealer Malware

Evidence: A North Korean worker’s device was infected with an Infostealer trojan, which harvested IPMsg chat logs, browser history, and stored credentials.

Step 3 – Identifying the Payment Backend "LuckyGuys"

Evidence: The internal payment platform luckyguys[.]site was discovered through analysis of browser history.

It is a payroll and remittance system designed for overseas‑assigned IT laborers.

Step 4 – Operational Failure: Default Password "123456"

Evidence: Screenshots of account lists show at least ten accounts still using the default password 123456 , providing direct backend access.

The platform’s operations are described as extremely amateur.

Step 5 – Organizational Structure Mapping

Evidence: Backend user lists include real names, Korean aliases, cities, and secret‑team codes, confirming the internal hierarchy.

Step 6 – Links to OFAC‑Sanctioned Entities

Evidence: Company names such as Sobaeksu, Anyang, and Yongbyeon appear in the data.

All three are on the U.S. Treasury’s OFAC sanctions list, indicating state‑level control of the laundering chain.

Step 7 – Technical Details of Forged Identities

Evidence: Stacked photos of fake IDs and passport templates demonstrate the use of high‑quality Photoshop and AI‑based face‑swap techniques.

Step 8 – Cross‑Verification of Identities (KYC Bypass)

Evidence: Comparison images of fabricated resumes versus real backend identities show a "identity nesting" method that bypasses KYC checks.

Step 9 – On‑Chain Fund Consolidation Logic

Evidence: A topology diagram traces the flow from employer payments to cryptocurrency addresses, where fiat earnings are converted to crypto and aggregated before cash‑out.

Step 10 – Internal Coordination and Communication Logs

Evidence: Decrypted IPMsg logs reveal discussions about payment processing, fake‑identity allocation, and handling of frozen accounts.

The investigation concludes that the $1 million monthly revenue is not only a financial threat but also a supply‑chain security risk, as these workers embed themselves in global crypto projects, potentially inserting backdoors or conducting social engineering from within.

ZachXBT warns that even state‑level hackers can be undone by basic OpSec lapses such as unchanged default passwords.