Recently an unnamed source shared data exfiltrated from an internal North Korean payment server
Contents
1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.
I spent long hours going through all of it, none of which has ever been publicly released.
It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion.
Enjoy the findings!
2/ A DPRK IT worker had their device compromised via infostealer. Extracted data included IPMsg chat logs, fake identities, and browser history.
Digging through the IPMsg logs revealed this site being discussed:
luckyguys[.]site
An internal payment remittance platform, essentially a Discord-style messenger used by DPRK IT workers to report payments back to their handlers.
3/ The site's default password was 123456, which remained unchanged for ten users.
The user list included roles, Korean names, cities, and coded group names consistent with DPRK IT worker operations.
Three companies which appeared are currently OFAC sanctioned: Sobaeksu, Saenal, & Songkwang.
4/ Here is one of the WebMsg …
I spent long hours going through all of it, none of which has ever been publicly released.
It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion.
Enjoy the findings!
2/ A DPRK IT worker had their device compromised via infostealer. Extracted data included IPMsg chat logs, fake identities, and browser history.
Digging through the IPMsg logs revealed this site being discussed:
luckyguys[.]site
An internal payment remittance platform, essentially a Discord-style messenger used by DPRK IT workers to report payments back to their handlers.
3/ The site's default password was 123456, which remained unchanged for ten users.
The user list included roles, Korean names, cities, and coded group names consistent with DPRK IT worker operations.
Three companies which appeared are currently OFAC sanctioned: Sobaeksu, Saenal, & Songkwang.
4/ Here is one of the WebMsg …