United States Seizes $7.74 Million in Crypto from North Korean IT Worker Scheme

In a powerful blow to North Korea’s illicit funding machinery, the United States Department of Justice (DoJ) has filed a civil forfeiture complaint targeting a covert global network of North Korean information technology (IT) workers who illicitly secured remote employment and laundered millions in cryptocurrency to fund the Hermit Kingdom’s weapons programme.

The forfeiture action, filed in the District of Columbia, freezes more than $7.74 million linked to an expansive scheme involving fraudulent job applications, stolen identities, and complex crypto laundering strategies. It follows the April 2023 indictment of Sim Hyon Sop, a North Korean Foreign Trade Bank (FTB) official who allegedly conspired with the IT operatives. Sim, along with crypto brokers and other intermediaries, channelled the proceeds back to the North Korean regime in violation of US sanctions.

North Korea’s Abuse of the Crypto Ecosystem

The case spotlights the Kim regime’s evolving reliance on the digital economy to subvert international restrictions. According to the DoJ, North Korean IT workers—many operating from China, Russia, and Laos—masqueraded as legitimate tech freelancers to infiltrate blockchain development firms and other digital ventures. These workers used fake or stolen American identities to pass due diligence checks, securing high-paying remote roles often paid in stablecoins such as USDC and USDT.

The funds were laundered using advanced crypto techniques including:

• Chain hopping and token swapping to obscure transaction trails

• Micro-transactions and fictitious accounts to bypass thresholds

• Non-fungible tokens (NFTs) as covert stores of value

• US-based wallet farms and accounts to feign legitimacy

Once sufficiently laundered, the crypto was redirected to North Korea through operatives such as Sim and Kim Sang Man, the CEO of Chinyong IT Cooperation Company—a sanctioned entity under the control of the North Korean Ministry of Defence.

Part of a Wider Crackdown: DPRK RevGen Initiative

This enforcement is the latest in a series of actions under the DoJ’s DPRK RevGen: Domestic Enabler Initiative, launched in March 2024 to dismantle North Korea’s revenue generation capabilities.

Previous actions in 2024 and 2025 have increasingly targeted US-based enablers, cryptocurrency brokers, and employers unwittingly facilitating the illicit activity.

According to officials, this is not just about stolen funds. It is a strategic battle to deny North Korea the financial means to advance its nuclear and ballistic missile ambitions.

A Warning to Employers & Crypto Platforms

The Federal Bureau of Investigation (FBI) has called on all US companies—particularly those employing remote contractors—to remain alert to this evolving national security threat. The Bureau’s guidance, last updated in May 2024 and January 2025, includes red flags such as:

• Remote workers reluctant to appear on video

• Use of VPNs to spoof US IP addresses

• Multiple contractors linked to the same payment details or devices

FBI investigations reveal a widespread campaign involving identity theft of US citizens, data exfiltration, and crypto fraud—all coordinated to bypass sanctions and funnel capital to Pyongyang.

Conclusion

This case serves as a potent reminder that North Korea’s IT worker threat is no mere cybercrime—it is a sanctioned state’s economic warfare by stealth. As the DoJ and FBI continue to close financial loopholes, companies must elevate their verification standards and blockchain platforms must enhance transaction monitoring to curb North Korea’s digital subterfuge.

Read the full press release here.