U.S. Targets $7.7M in Crypto Tied to North Korean IT Worker Scam
On June 5, 2025, the United States Department of Justice (DOJ) filed a verified civil forfeiture complaint in the US District Court for the District of Columbia, seeking to permanently seize over $7.7 million in cryptocurrency, non-fungible tokens (NFTs), and digital assets linked to a sophisticated global laundering operation orchestrated by North Korea.
The assets in question are the proceeds of wire fraud and money laundering offenses perpetrated by North Korean nationals, acting under the direction of the country’s Foreign Trade Bank (FTB) and Ministry of Defense.
The operation centered on the deployment of North Korean IT workers, primarily based in China, Russia, and the United Arab Emirates (UAE)—who used falsified identities to gain employment at US and foreign tech firms, including those in the blockchain and decentralized finance (DeFi) sectors.
These workers, often paid in stablecoins such as USDC and USDT, did not retain their earnings but instead routed them through a complex network of self-custodied wallets, centralized exchanges, and alternate blockchain chains.
The funds were ultimately transferred to wallets controlled by sanctioned North Korean entities.
The Mechanics of a State-Sponsored Laundering Machine
According to the report,The complaint details how North Korea has systematically embedded its IT workers within legitimate companies, leveraging stolen or forged identity documents, virtual private networks (VPNs), and advanced obfuscation techniques to conceal their origins.
Once hired, these individuals performed roles such as software development, smart contract engineering, and blockchain infrastructure management.
Payments were made via centralized exchanges and directed to self-hosted wallets, which acted as consolidation points for the laundered funds.
Investigators observed a pattern of fragmentation: funds were broken into smaller amounts, transferred across multiple blockchains (“chain hopping”), and commingled with other assets to obscure their origin.
Privacy-enhancing technologies, such as coin mixers and anonymizers, were employed to further muddy the trail.
The assets were eventually converted into fiat currency through over-the-counter (OTC) brokers, some of whom have since been sanctioned by the Office of Foreign Assets Control (OFAC).
Key actors in the network include Sim Hyon Sop, a representative of North Korea’s FTB, and Kim Sang Man, CEO of Chinyong, an IT company subordinate to the Ministry of Defense.
Both have been designated by OFAC for their roles in financing prohibited activities.
Sim’s wallet, now frozen, received over $24 million in cryptocurrency between August 2021 and March 2023, much of it traced back to Kim’s accounts, which were opened using forged Russian identity documents and accessed from Korean-language devices in the UAE and Russia.
Technical Indicators and Enforcement Actions
The DOJ’s investigation, led by the FBI’s Virtual Assets Unit and Chicago Field Office, with support from the IRS Criminal Investigation (IRS-CI) and international partners, identified over 84 exchange accounts tied to the laundering network.
Many of these accounts were established using false Know Your Customer (KYC) documentation, and investigators found inconsistencies in login records, such as repeated device usage across multiple fake personas and access from IP addresses in Russia and the UAE.
Some wallets were voluntarily frozen by Tether following requests from US law enforcement, while others were seized pursuant to federal warrants executed in 2022 and 2023.
The targeted assets include Ethereum (ETH), Tether (USDT), USD Coin (USDC), various altcoins, high-value NFTs, and Ethereum Name Service (ENS) domain names.
The DOJ is proceeding under 18 U.S.C. § 981(a)(1)(A) and (C), alleging violations of wire fraud statutes, the International Emergency Economic Powers Act (IEEPA), and US money laundering laws.
North Korea’s Evolving Crypto Threat Landscape
TRM Labs, a leading blockchain analytics firm, estimates that North Korea has stolen approximately $5 billion in cryptocurrency over the past eight years, with a significant portion originating from high-profile exchange hacks such as the $1.5 billion Bybit exploit in February 2025.
However, the use of IT workers as revenue generators is playing an increasingly prominent role in the regime’s crypto intake, accounting for millions annually.
The following table summarizes key technical terms and codes relevant to the case:
| Term/Code | Description |
|---|---|
| USDC, USDT | Stablecoins pegged to the US dollar, used for payments and laundering |
| KYC | Know Your Customer: process for verifying client identities |
| OFAC | Office of Foreign Assets Control: enforces US sanctions |
| IEEPA | International Emergency Economic Powers Act: basis for sanctions enforcement |
| 18 U.S.C. § 981 | US law allowing civil forfeiture of property linked to criminal activity |
| Chain Hopping | Moving funds between different blockchains to obscure origin |
| OTC Broker | Over-the-counter broker: facilitates crypto-to-fiat conversions |
| ENS | Ethereum Name Service: domain names for Ethereum addresses |
The DOJ’s latest action underscores the growing sophistication of North Korea’s state-backed cyber apparatus and highlights the ongoing risks posed by remote IT contracting and cryptocurrency ecosystems.
As the US government continues to adapt its enforcement strategies, companies are urged to strengthen their due diligence and identity verification processes to mitigate the threat of infiltration by sanctioned actors.
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
Source link
