Counterhacker Reveals North Korean IT Unit Earning $1M Monthly

A counterhacker provided server logs, invoices and archived chat transcripts that they say document a North Korean cyber unit performing contracted IT work for overseas clients and generating roughly $1 million per month at peak.

The materials supplied to cybersecurity teams and some government units include payment records, task assignments, project deliverables and what the provider identified as internal payroll records. The files list services such as web development, coding, software maintenance, web design and remote IT support under commercial-sounding company names.

According to the documents, the operation routed contracts and payments through intermediary companies and used encrypted channels to hide the origin of the work and the recipients of funds. The packet includes invoices in foreign currencies, wallet addresses for cryptocurrency transfers and conventional billing records tied to project milestones.

The activity described in the files appears to have taken place over several months. Records show a range of project sizes, from short-term website builds and maintenance to longer software development engagements. The counterhacker’s summary reports aggregated monthly receipts near $1 million during peak periods, and notes that totals fluctuated.

Material in the batch shows backend systems and employee messages referencing local supervisors and centralized coordination. Task lists, time sheets and templates for proposals and non-disclosure agreements are included, and the provider pointed to evidence of supervisors assigning tasks, reviewing deliverables and approving payouts.

Researchers who reviewed portions of the material described the documentation as containing detailed invoices and delivery notes that match client work. In an accompanying statement, the counterhacker wrote, “The documentation contains detailed invoices and delivery notes that are consistent with genuine client work. This is not solely theft or ransomware; it is commercial work performed at scale.”

Those analyzing the files said further technical verification is needed to confirm provenance and to trace the full payment chain. The counterhacker said they have shared copies with selected incident response teams and government cybersecurity units and will continue to work with independent analysts and officials while more data is validated.

The provider did not release the names of individual clients to protect potential victims and urged organizations to review vendor relationships and payment chains that could conceal the origin of contracted work.