Counterhacker: North Korean IT unit earned ~$1M monthly

A self-described counterhacker this week published documents and communications alleging that a North Korean state-linked IT unit produced roughly $1 million in monthly revenue by supplying overseas IT services and placing labor on international projects. The counterhacker provided spreadsheets, client contracts, chat logs and payment records that they say map the unit’s business operations and income streams.

The files cover activity from 2022 through early 2024 and show recurring inflows from software development, quality assurance, data-labeling and remote IT support contracts. The material lists dozens of client companies, many registered to nominee firms and freelancer platform accounts, and includes invoices and payment records tied to offshore entities and cryptocurrency wallets.

The documents appear to show the unit arranging technical staff and contractors for foreign clients, billing at industry rates and routing a large share of fees to central handlers. Personnel lists describe developers by skill set and project role rather than by full names, and payroll notes reference a central account, according to the released material.

Payment trails in the files indicate transfers to crypto addresses and bank accounts in third countries. The counterhacker wrote that the operation used intermediaries in China, Southeast Asia and the Middle East to mask direct links to Pyongyang and to convert foreign currency into usable funds.

The release included code samples, project deliverables and project briefs routed through multiple intermediaries. Several invoices list middlemen and nominee companies in jurisdictions commonly used for shell operations.

United Nations panels and law enforcement agencies have previously reported North Korean involvement in cryptocurrency theft, bank fraud and the operation of front companies. The counterhacker’s trove, if authentic, adds a set of records that investigators could follow with banking logs, platform data and official communications.

The files provide leads such as transaction timestamps, account names and routing details that the counterhacker urged authorities and cybersecurity researchers to review and verify. The counterhacker wrote that the intent of the release was to disrupt the revenue stream and expose how the unit operated.

The source did not provide independent verification of where the workers were located or how funds were ultimately used beyond the payment trails shown in the documents. Analysts note that proving direct state control typically requires corroboration from additional financial and platform records.