1/ My recent investigation uncovered more than $16.58M in payments since January 1, 2025 or $2.76M per month has been sent to North Korean IT workers hired as developers at various projects & companies. To put this in perspective payments range from $3K-8K per month meaning they have infiltrated 345 jobs on the low end or 920 jobs on the high end.

5/ USDC was sent directly from Circle accounts to three addresses in this cluster. It’s 1 hop from an address blacklisted by Tether in April 2023 tied to Hyon Sop Sim. Other DPRK ITW clusters currently have decent sized quantities of USDC sitting. I think it’s misleading Circle markets themselves as the most compliant stablecoin that puts security first when they do not have proper channels to report illicit activity and do not engage in incident response during major exploits.

7/ A few key trends I have observed: A common misconception is that US exchanges have more rigorous KYC/AML requirements than offshore competitors. DPRK ITWs have an increasing number of accounts tied to US exchanges like Coinbase or Robinhood MEXC remains a popular choice by ITWs for laundering funds onchain. A few years ago Binance was widely used by ITWs but now it is rare due to improvements in detection and private industry collaboration that lead to seizures.

8/ Another misconception is crypto projects have the most DPRK ITWs when in reality the issue is just as bad if not worse at traditional tech companies. The downside of fiat is you cannot trace funds back to the company to alert them whereas when ITWs are paid with crypto it makes all activity onchain traceable. The rise of neobanks/fintech with stablecoin integrations has allowed DPRK ITWs to easily on-ramp fiat -> crypto.

9/ I believe that when a team hires multiple DPRK ITWs it is a decent indicator for determining that startup will be a failure. Unlike other threats to the industry DPRK ITWs have little sophistication so it’s mainly the result of a team’s own negligence. I think the prevalence of them is due to being cheap and the lack of available talent as well as high valuations that resulted in incompetent founders who received funding.

@SuperrSaiiyan Different ITWs

Update: Sandy Nguyen changed his X username after my post from ‘bullishgopher’ to ‘dddxxxssseaeff’ X user ID: 1532495241038778387