A compromised DPRK IT worker device exposed a five-person operation managing more than 30 fraudulent identities to obtain developer jobs through purchased Upwork and LinkedIn accounts, government IDs, phone numbers, AI subscriptions, rented computers, VPNs, and proxies. Exported Google Drive data, Chrome profiles, screenshots, schedules, reports, and budgets showed the team coordinating work in English and using Google products to manage tasks and finances. The operators used bought or rented computers and AnyDesk to perform work under fake personas, including a scripted identity named Henry Zhang. One payment wallet, 0x78e1a4781d184e7ce6a124dd96e765e2bea96f2c, was linked on-chain to the June 2025 Favrr exploit, where the CTO and other developers were reportedly DPRK IT workers using fraudulent documents.