Plainbit traces CISA-listed North Korea ransomware address 1KCwfCUgnSy3pzNX7U1i5NwFzRtth4bRBc, a high-risk wallet in QLUE cluster 806944670 with ransomware and North Korea flags. The address handled six transactions totaling 0.0361 BTC between May 2021 and December 2022, with inputs associated with Coinbase activity and a peel-chain source. Outgoing flows connected to Binance, Hydra Market, Coinspaid-like infrastructure, and two addresses identified in the source as Lazarus Group-linked: 121AkmEbHBX9FuFeuDWv2CpyHqNq9F18k9 and 1C5qLPgqW4Ed6PuyLHPqXpdF2gQ1EEnJ65. The report highlights exchange use, peel-chain movement, and overlap with Lazarus-tagged wallets in North Korea ransomware fund tracing.