A growing national security concern is unfolding quietly across the global tech and crypto industries. According to data from the on-chain sleuth ZachXBT, over $16.58 million has been funneled to North Korean IT workers since the start of 2025 alone, a figure that amounts to roughly $2.76 million per month. These developers pose as legitimate freelancers but are secretly tied to the DPRK regime. Using simple tactics and social engineering, they’ve breached technical teams, secured sensitive roles, and routed crypto payments into addresses linked to sanctioned actors. 1/ My recent investigation uncovered more than $16.58M in payments since January 1, 2025 or $2.76M per month has been sent to North Korean IT workers hired as developers at various projects & companies. To put this in perspective payments range from $3K-8K per month meaning… pic.twitter.com/pjHZG9wJ4r — ZachXBT (@zachxbt) July 2, 2025 What Are the Red Flags and Risk Patterns? These IT workers typically earn between $3,000 and $8,000 per month, which suggests that anywhere from 345 to 920 jobs have been compromised this year alone. While that number is staggering, the patterns behind their employment reveal a concerning lack of diligence in the hiring and vetting processes at many companies. Most teams fail to notice glaring indicators, such as workers who refuse to meet local team members despite claiming to live nearby, or those who use Russian IP addresses while claiming to be based in the U.S. In some cases, these workers even refer each other to new roles, creating internal clusters of compromised staff. How Are They Bypassing Security Checks? Many of these IT workers show clear signs of deceit. They frequently change their GitHub usernames, delete their LinkedIn profiles after securing a job, and often fail basic Know Your Customer (KYC) checks. Despite these red flags, crypto firms continue to unknowingly process payments to them, sometimes directly from regulated platforms like Circle. 7/ A few key trends I have observed: A common misconception is that US exchanges have more rigorous KYC/AML requirements than offshore competitors.DPRK ITWs have an increasing number of accounts tied to US exchanges like Coinbase or Robinhood MEXC remains a popular choice… — ZachXBT (@zachxbt) July 2, 2025 Circle and Compliance Concerns In one instance, USDC payments were traced to an address just one hop away from a Tether-blacklisted account tied to a known DPRK operative. What’s more alarming is the presence of U.S.-based exchange accounts held by these workers. Despite the assumption that platforms like Coinbase and Robinhood enforce stricter KYC, many have been able to use these services without detection. Others still prefer exchanges like MEXC for laundering funds on-chain, having moved away from Binance due to improved oversight. Why Are Startups at Such High Risk? While crypto projects are often highlighted, traditional tech companies face just as much exposure to this threat. These workers often juggle multiple remote roles, perform poorly, and are frequently fired, but the damage can be done long before they are removed. Once they are embedded in a project, especially in a smart contract development role, they pose a real threat to a project’s integrity and financial security. Ultimately, many teams have prioritized cost-cutting over security, hiring cheaper international talent without performing sufficient background checks. This has created an environment that is ripe for exploitation. Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.