The US Department of Justice (DOJ) has moved to confiscate $7.7 million of crypto and NFTs earned by North Korean IT workers using fake identities. The civil forfeiture complaint to seize multiple cryptocurrencies comes two years after the funds were frozen in April 2023 due to being linked to money laundering efforts by North Korea (DPRK).
As seen in various criminal cases, North Korean IT workers, under direction of their government, have gained employment with American and European companies using phony identification and various techniques to obfuscate their locations.
Invisible Workers, Visible Profits
In the case of the $7.7 million, North Korean IT workers were paid in stablecoins such as Circle’s USDC and Tether, then laundered the money via chain hopping and token swaps to hide where it originated. The crypto was then sent back to the North Korean government via intermediaries.
These two intermediaries are Sim Hyon Sop, a foreign trade bank representative indicted in 2023 by the DOJ for the money laundering scheme, and Kim Sang Man, who operates an IT company within North Korea’s Ministry of Defense.
According to TRM Labs, a cryptocurrency firm that tracks fraud and money laundering, crypto wallets tied to Sim received over $24 million between 2021 and 2023. Operating out of Dubai, Sim transferred funds to a UAE-based over-the-counter trader who then converted the funds into fiat currency. The UAE trader has since been sanctioned by the Office of Foreign Assets Control (OFAC).
In recent years, due to heightened scrutiny within the U.S., North Korean IT workers have moved their attention towards blockchain firms outside the country. One prominent blockchain developer estimates that over 50% of resumes received by crypto companies are North Koreans concealing their identities.
Young companies are often willing to pay in crypto to attract talent, which creates an added challenge for law enforcement.
Nevertheless, Matthew R. Galeotti, head of the DOJ’s criminal division, said the $7.7 million seizure shows the lengths to which the DOJ will go to respond to the North Korean threat.
In his words: “The Department will use every legal tool at its disposal to safeguard the cryptocurrency ecosystem and deny North Korea its ill-gotten gains in violation of US sanctions.”
A Drop in the Ocean
The DOJ’s potential seizure of $7.7 million is unlikely to deter North Korean efforts to infiltrate western companies. According to the UN, North Korean IT workers have brought in as much as $600 million a year since 2018, funnelling their salaries to the regime. Thousands of North Korean IT workers have gained employment at Fortune 500 companies.
Part of the DOJ’s problem is trying to pin down a moving target. Given the heavy sanctions placed on North Korea, its army of IT specialists rarely operates directly from the country itself. To circumvent sanctions, workers are stationed in China, Russia and other East Asian nations, while making transactions in the UAE and other financial hubs.
While U.S. companies are getting wise to the techniques of fraudulent applicants, North Korean operatives are adaptive. AI is being used to develop scripts and disguise an employee’s appearance and voice.
Beyond the money obtained through their salaries, North Korean IT workers also collect important data and intellectual property from their employers to use for extortion. If their employment status is compromised, often this is the next step taken.
If the way in which money is extracted from Western companies varies, its final destination is always the same. For that reason North Korea has been compared to the mafia or a crime syndicate. All money flows to the top, with evidence showing that it is being used to fund the rogue nation’s nuclear program and missile development.
Farming Out the Work
Concurrent with North Korea’s infiltration of the crypto industry, the DPRK has successfully injected workers into several business sectors with the help of American conspirators.
In August 2024 the DOJ charged Matthew Isaac Knoot, a U.S. citizen based in Nashville, for operating a “laptop farm.” In this scheme, a willing American accomplice uses his residence to host laptops that are remotely controlled by North Korean workers abroad. Circumventing employment sanctions, the accomplice then also launders the North Korean workers’ salaries and funnels the money back to North Korea.
Knoot was the second U.S. citizen charged with operating a laptop farm. In May 2024, an Arizona woman was brought up on similar charges, having allegedly stolen the identity of 60 people, while assisting North Korean workers employed at more than 300 companies, many of them well-known Fortune 500 companies.
That same month, a Maryland man was arrested for using his identity to obtain employment that was then farmed out to North Korean workers.
While these schemes have been broken up in Tennessee, Maryland and Arizona, North Korean operatives have been quick to adapt and reassert themselves. Investigators have traced laptop farms in Europe, where local conspirators are facilitating North Koreans much in the way Knoot did in Nashville.
Sue Bai, head of the Justice department’s National Security Division, acknowledged as much:
“For years, North Korea has exploited global remote IT contracting and cryptocurrency ecosystems to evade U.S. sanctions and bankroll its weapons programs.”
OFAC and the DOJ began publishing North Korea’s infiltration of the crypto industry in 2022. However, independent investigators show evidence of it dating back to 2018, if not earlier.
While fraudulent schemes have placed North Korean IT workers in the employ of American and European companies, hackers from the pariah state have been busy themselves.
One Hand Washes the Other
In February 2025, the world witnessed the largest crypto heist in history when $1.5 billion in Ethereum tokens were stolen from Bybit, the world’s second largest cryptocurrency exchange. Within the first two days it’s estimated that at least $160 million of the stolen Ethereum was laundered.
TraderTraitor, North Korean hackers operating under the umbrella of notorious criminal collective Lazarus Group, is largely seen as the culprit behind the Bybit heist. Hacking group Lazarus has stolen an estimated $3.4 billion in crypto since 2007 and shows no signs of stopping.
In 2024 more than a dozen crypto companies reported having inadvertently hired a North Korean job applicant. While violating U.S. sanctions, some of these employees may have performed their jobs to their employers’ satisfaction beyond their remittance of wages to the DPRK.
However, there is evidence that some workers were quietly collecting their employer’s internal information and passing it on to North Korean hackers. In 2024, North Korea-affiliated hackers stole $1.34 billion, more than double what they stole the year before.
With a $1.5 billion hack already on the books in 2025, the DOJ’s seizure of $7.7 million looks less like a victory and more like, from North Korea’s perspective, a small price for doing business.
Author: Laird Dilorenzo
#Crypto #Blockchain #DigitalAssets #cybersecurity
Laird Dilorenzo is a hatchet thrower and wordsmith.
The editorial team at #DisruptionBanking has taken all precautions to ensure that no persons or organizations have been adversely affected or offered any sort of financial advice in this article. This article is most definitely not financial advice.
See Also:
Hamas, Russia, Iran, North Korea – Who Will Binance Turn A Blind Eye To Next? | Disruption Banking
