The world saw for the first time the inside of the most closed digital project.
The blogger ZachXBT said that he managed to look into the internal cuisine of the North Korean network of IT-employees, which, according to him, earns on shadow schemes and teaches participants in applied skills to work in the cyber environment. The story quickly attracted the attention of the crypto community not only because of the leak content, but also because soon after the publication, one of the associated sites suddenly disappeared from the network.
According to ZachXBT, the group administrator from November 2025 to February 2026 sent to the participants 43 training modules on Hex-Rays and IDA Pro. The materials covered disassembly, decompilation, local and remote debugging, as well as other topics related to cybersecurity. Separately, ZachXBT mentioned a link sent on November 20, which allegedly directly described the purpose of one of the resources.
The author of the publication believes that the discovered cluster of North Korean activity is inferior in the level of organization to more well-known groups like AppleJeus and TraderTrator. According to ZachXBT, it is these structures that act significantly more effectively and create the greatest risks for the industry. At the same time, the analyst recalled the previous estimate of revenues, according to which North Korean IT workers can bring multimillion-dollar revenues.
The next day, ZachXBT reported that the internal payment site associated with the described scheme had already been turned off after its post. The archive with the collected data, according to the author, was preserved in advance, so the disappearance of the resource did not prevent further analysis.
The discussion quickly went beyond the find itself. Some users ridiculed the weak protection of the infrastructure and suggested that the organizers did not change the standard passwords. Other commentators drew attention to possible offline traces, including an address in Hong Kong.
Against the background of further reports of the DPRK’s shadow income, history has again raised the question of what role digital fraudulent schemes play in financing North Korean operations.
The blogger ZachXBT said that he managed to look into the internal cuisine of the North Korean network of IT-employees, which, according to him, earns on shadow schemes and teaches participants in applied skills to work in the cyber environment. The story quickly attracted the attention of the crypto community not only because of the leak content, but also because soon after the publication, one of the associated sites suddenly disappeared from the network.
According to ZachXBT, the group administrator from November 2025 to February 2026 sent to the participants 43 training modules on Hex-Rays and IDA Pro. The materials covered disassembly, decompilation, local and remote debugging, as well as other topics related to cybersecurity. Separately, ZachXBT mentioned a link sent on November 20, which allegedly directly described the purpose of one of the resources.
The author of the publication believes that the discovered cluster of North Korean activity is inferior in the level of organization to more well-known groups like AppleJeus and TraderTrator. According to ZachXBT, it is these structures that act significantly more effectively and create the greatest risks for the industry. At the same time, the analyst recalled the previous estimate of revenues, according to which North Korean IT workers can bring multimillion-dollar revenues.
The next day, ZachXBT reported that the internal payment site associated with the described scheme had already been turned off after its post. The archive with the collected data, according to the author, was preserved in advance, so the disappearance of the resource did not prevent further analysis.
The discussion quickly went beyond the find itself. Some users ridiculed the weak protection of the infrastructure and suggested that the organizers did not change the standard passwords. Other commentators drew attention to possible offline traces, including an address in Hong Kong.
Against the background of further reports of the DPRK’s shadow income, history has again raised the question of what role digital fraudulent schemes play in financing North Korean operations.
