DOJ Seeks $7.7 Million Forfeiture in Crypto From North Korean Hackers Masquerading as IT Workers

The U.S. Department of Justice last week filed a civil forfeiture claim for $7.74 million in crypto laundered by North Korean IT workers who fraudulently gained employment with companies in the U.S. and abroad.

The U.S. government seized the funds as part of an operation against a North Korean scheme to evade sanctions, with authorities indicting a North Korean Foreign Trade Bank representative, Sim Hyon Sop, in connection with the scheme in April 2023.

According to the DOJ, North Korean IT workers gained employment at U.S. crypto companies using fake or fraudulently obtained identities, before laundering their income through Sim for the benefit of the regime in Pyongyang.

The forfeiture complaint also details that the IT workers had been deployed in various locations around the world, including in China, Russia and Laos.

By hiding their true identities and locations, the workers were able to secure employment with blockchain firms, who generally paid them in stablecoins—USDC or Tether.

“For years, North Korea has exploited global remote IT contracting and cryptocurrency ecosystems to evade U.S. sanctions and bankroll its weapons programs,” said Sue J. Bai, the head of the DOJ’s National Security Division.

The Department of Justice also reports that the IT workers used several methods to launder their fraudulent income, including setting up exchange accounts with fictitious IDs, making multiple small transfers, converting from one token to another, buying NFTs, and mixing their funds.

Once ostensibly laundered, the funds were then sent to the North Korean government via Sim Hyon Sop and Kim Sang Man, the CEO of a company operating under North Korea’s Ministry of Defense.

The DOJ indicted Sim Hyon Sop on two separate charges in April 2023, including conspiring with North Korean workers to earn income via fraudulent employment and, secondly, conspiring with OTC crypto traders to use the fraudulently generated income to purchase goods for North Korea.

The FBI Chicago Field Office and FBI’s Virtual Assets Unit are investigating the cases related to the forfeiture complaint, which the DoJ filed with the U.S. District Court for the District of Columbia.

“The FBI’s investigation has revealed a massive campaign by North Korean IT workers to defraud U.S. businesses by obtaining employment using the stolen identities of American citizens, all so the North Korean government can evade U.S. sanctions and generate revenue for its authoritarian regime,” said Roman Rozhavsky, the Assistant Director of the FBI’s Counterintelligence Division.

While the precise extent of fraudulent North Korean IT work is not fully established, most experts agree that the problem is becoming more significant.

A growing threat in North Korea

“The threat posed by North Korean IT workers posing as legitimate remote employees is growing significantly – and fast,” explains Chainalysis Head of National Security Intelligence Andrew Fierman, speaking to Decrypt.

As evidence of just how “industrialized and sophisticated” the threat has become, Fierman cites the example of the DoJ’s December indictment of 14 North Korean nationals, who had allegedly also operated under false IDs and earned $88 million through a six-year scheme.

“While it’s difficult to pin an exact percentage of North Korea’s illicit cyber revenue to fraudulent IT work, it’s clear from government assessments and cybersecurity research that this method has evolved into a reliable stream of income for the regime – especially when paired with espionage goals and follow-on exploits,” he says.

Other security specialists concur that the threat of illicit North Korean IT employees is becoming more prevalent, with Michael Barnhart – Principal i3 Insider Investigator at DTEX Systems – telling Decrypt that their tactics are becoming more sophisticated.

“These operatives aren’t just a potential threat, they have actively embedded themselves within organizations already, with critical infrastructure and global supply chains already compromised,” he says.

Barnhart also reports that North Korean threat actors have even begun establishing “front companies posing as trusted third parties”, or embedding themselves into legitimate third parties that may not utilize the same rigorous safeguards as other, larger organizations.

Interestingly, Barnhart estimates that North Korea may be generating hundreds of millions in revenue each year from fraudulent IT work, and that any recorded figures or sums are likely to be underestimated.

“The saying of ‘you don’t know what you don’t know’ comes into play, as each day a new scheme to earn money is discovered,” he explains. “Additionally, much of the revenue is obfuscated to look like elements of cyber criminal gangs or completely legitimate seeming efforts, which muddle the overall attribution.”

And while Thursday’s forfeiture claim indicates that the U.S. Government is managing to get more of a handle on North Korea’s operations, the increasing sophistication of the latter suggests that American and international authorities may continue playing catchup for a while yet.

As Andrew Fierman says, “What’s especially concerning is how seamlessly these workers are able to blend in: leveraging generative AI for fake personas, deepfake tools for interviews, and even support systems to pass technical screenings.”

In April, Google’s Threat Intelligence Group revealed that North Korean actors had expanded beyond the U.S. to infiltrate themselves in cryptocurrency projects in the UK, Germany, Portugal and Serbia.

This included projects developing blockchain marketplaces, AI web apps and Solana smart contracts, with accomplices in the UK and U.S. helping operatives to bypass ID checks and receive payments via TransferWise and Payoneer.

Edited by Stacy Elliott.