In a striking revelation, the United States Department of Justice (DOJ) has seized over $7.74 million allegedly laundered by North Korean IT operatives using stolen American identities. The operatives reportedly secured remote jobs at U.S.-based blockchain and tech firms and channelled their earnings back to North Korea. This elaborate crypto laundering scheme highlights the evolving cyber-financial tactics of the heavily sanctioned regime.
IT Workers Impersonate Americans to Infiltrate U.S. Firms
According to a civil forfeiture complaint filed in the U.S. District Court for the District of Columbia, North Korean IT workers posed as U.S. citizens to obtain remote positions at blockchain and tech companies. To bypass Know Your Customer (KYC) checks and secure employment, they used forged or stolen identification documents—often gaining access via freelance platforms or intermediaries based in the U.S.
Their salaries, frequently paid in stablecoins such as USDC and USDT, were laundered through various methods before being routed back to the North Korean regime. The ultimate objective: to finance Pyongyang’s weapons programs while evading international sanctions.
Advanced Laundering Techniques and Crypto Obfuscation
The FBI’s investigation uncovered a network of laundering tactics used to obscure the origin and destination of the stolen funds. These included “chain hopping” (moving crypto between multiple blockchains), token swapping, and even the purchase of non-fungible tokens (NFTs) to throw investigators off the trail. Shell accounts played a key role in concealing the final recipients—senior North Korean officials, including Kim Sang Man and Sim Hyon Sop, both of whom are already under U.S. Treasury sanctions.
The funds were reportedly channelled through the Chinyong IT Cooperation Company, which operates out of China, Russia, and Laos. This organisation is believed to function under the authority of North Korea’s Ministry of Defence. Kim Sang Man, the CEO of Chinyong, allegedly acted as a central link between the IT workers and the Foreign Trade Bank of North Korea.
Real-World Cases Underscore Ongoing Risk
Recent incidents demonstrate the continued reach of North Korea’s cyber units. Kraken’s security team reportedly detected a job applicant attempting to infiltrate the company using falsified credentials. Similarly, major breaches at Bybit and DMM Bitcoin were traced back to North Korea-linked hacker groups, including the Lazarus Group and TraderTraitor.
North Korea has dispatched thousands of skilled IT workers abroad with the aim of deceiving U.S. and other businesses worldwide into hiring them as freelance IT workers so they can support North Korean cyber operations and generate revenue for the North Korean regime. Learn more… pic.twitter.com/qctMta67BF
— NCSC (@NCSCgov) April 3, 2025
In May alone, the crypto world witnessed $244 million in losses, much of which has been attributed to North Korean actors. These activities highlight a broader strategy by the DPRK to exploit decentralised finance (DeFi) platforms and remote work structures to sustain its illicit programs.
International Pushback and DOJ Crackdown
This operation falls under the broader “DPRK RevGen” initiative launched in 2024 by the DOJ. The initiative aims to dismantle North Korea’s global cyber-financial network by targeting operatives, intermediaries, and financial flows. It has already led to several asset seizures, indictments, and the enforcement of international sanctions.
Officials from the U.S., South Korea, and Japan have jointly condemned the regime’s abuse of crypto to fund weapons development and undermine global financial systems. The DOJ reaffirmed its commitment to cut off the financial lifelines of the regime.
“Crime may pay in other countries, but that’s not how it works here,” stated U.S. Attorney Jeanine Ferris Pirro. “We will halt your progress, strike back, and seize any illegally obtained proceeds.”
