bitcoin with Kim Joun Un behind North Korea and U.S flag

The U.S. Department of Justice (DoJ) has filed a civil forfeiture complaint targeting over \$7.74 million in cryptocurrency, non-fungible tokens (NFTs), and other digital assets allegedly tied to a global IT worker scheme orchestrated by North Korea.

"For years, North Korea has exploited global remote IT contracting and cryptocurrency ecosystems to evade U.S. sanctions and fund its weapons programs," stated Sue J. Bai, Head of the Justice Department's National Security Division.

The seized funds were initially restrained in connection with an April 2023 indictment against Sim Hyon-Sop, a representative of the North Korean Foreign Trade Bank (FTB), believed to have conspired with the IT workers. These workers gained employment at U.S. cryptocurrency companies using fake identities and laundered their earnings through Sim to support North Korea's strategic objectives, violating sanctions imposed by the U.S. Treasury's Office of Foreign Assets Control (OFAC) and the United Nations.

bitcoin with Kim Joun Un behind North Korea and U.S flagbitcoin with Kim Joun Un behind North Korea and U.S flag

The fraudulent scheme has evolved since its inception in 2017, leveraging stolen and fictitious identities, often aided by AI tools like OpenAI ChatGPT, to bypass due diligence checks and secure freelance jobs. Operating under the aliases Wagemole and UNC5267, this operation is linked to the Workers' Party of Korea and aims to embed IT workers within legitimate companies to generate revenue for the Democratic People's Republic of Korea (DPRK).

A key aspect of the operation involves recruiting facilitators to manage laptop farms worldwide, enabling video interviews and laundering proceeds through various accounts. One such facilitator, Christina Marie Chapman, pleaded guilty earlier this year for her role in the scheme.

bitcoin with Kim Joun Un behind North Korea and U.S flagbitcoin with Kim Joun Un behind North Korea and U.S flag

After laundering the funds, the North Korean IT workers allegedly sent them back to the North Korean government, often via Sim and Kim Sang Man, the CEO of Chinyong IT Cooperation Company. An analysis of Sim's cryptocurrency wallet revealed over \$24 million received from August 2021 to March 2023, with most funds traced back to Kim's accounts, which were opened using forged Russian identity documents.

Cybersecurity firm DTEX has characterized this IT worker scheme as a state-sponsored crime syndicate focused on sanctions evasion and profit generation. The threat actors are shifting from laptop farms to using their own devices under companies' Bring Your Own Device (BYOD) policies.

DTEX identified two categories of IT workers:

Revenue IT Workers (R-ITW), who primarily generate income for the regime, and Malicious IT Workers (M-ITW), who engage in extortion, sabotage, and theft. Chinyong is one of many IT companies deploying workers for freelance IT tasks and cryptocurrency theft.

Recent investigations have uncovered fake domains and accounts used to provide phony references for the IT workers, with some accounts infected with information-stealing malware. Additionally, a covert remote-control system has been identified, allowing North Korean IT workers to maintain persistent access to company-issued laptops while located in Asia.

As the scheme evolves, experts warn that North Korea's cyber assets may increasingly target the traditional financial sector, especially as blockchain and Web3 technologies become more integrated into financial institutions.