PANews reported on April 8th that, according to blockchain detective ZachXBT , a North Korean IT worker's device was infected with a Trojan, leading to the leakage of data from its internal payment server, involving approximately 390 accounts, chat logs, and encrypted transactions. The leaked data shows that the North Korean IT team reported income through the internal platform luckyguys.site , using numerous forged identities and fake legal documents to transfer cryptocurrency from exchanges or other services to a wallet controlled by the administrator account " PC-1234 , " and then exchanged it for fiat currency through Chinese bank accounts and platforms such as Payoneer . Since November 2025 , the related addresses have received over $ 3.5 million, and one of the Tron addresses was frozen by Tether in December 2025. ZachXBT also released the network's organizational structure, payment details, and some publicly verifiable addresses.