Overview
- ZachXBT, who posted his findings Wednesday, said the group’s internal remittance site was taken offline after his report, with all data archived beforehand.
- A compromised worker’s device infected with an infostealer exposed 390 accounts, chat logs, and browser history that pointed to luckyguys.site, where an admin called PC-1234 managed payouts and several users kept the default password 123456.
- The data shows workers used fake identities to land remote developer jobs and then moved roughly $3.5 million in recent months through crypto addresses or by cashing out via Chinese bank accounts and services like Payoneer.
- On‑chain traces linked the payment flow to OFAC‑sanctioned entities Sobaeksu, Saenal, and Songkwang, and one Tron wallet tied to the network was previously frozen by Tether.
- Leaked files included 43 training modules for reverse engineering tools like IDA Pro and chats that discussed targeting the Arcano game on GalaChain, though it is unclear if that attempt ever occurred.