2025 Crypto Crime Report: See the key trends that shaped the illicit crypto market over the past year. Read the report

Customers
Request a demo
Search
Search
Insights
June 5, 2025

DOJ Seeks Forfeiture of $7.7 Million in Cryptocurrency Tied to North Korean IT Worker Laundering Network

TRM BlogInsights
DOJ Seeks Forfeiture of $7.7 Million in Cryptocurrency Tied to North Korean IT Worker Laundering Network

On June 5, 2025, the US Department of Justice filed a verified civil forfeiture complaint in the US District Court for the District of Columbia, targeting over USD 7.7 million in cryptocurrency, NFTs, and digital assets allegedly linked to a global laundering scheme directed by North Korea. According to the complaint, these assets represent the proceeds of wire fraud and money laundering offenses conducted by North Korean nationals acting under the direction of the Foreign Trade Bank and Ministry of Defense.

The action focuses on the deployment of North Korean IT workers abroad — primarily in China, Russia, and the United Arab Emirates (UAE) — who used falsified identities to gain employment at US and foreign tech firms, including in the blockchain and decentralized finance (DeFi) sectors. Payments made to these individuals, often in USDC and USDT, were allegedly routed through laundering networks and ultimately transferred to wallets controlled by sanctioned Democratic People’s Republic of Korea (DPRK) entities.

The use of North Korean IT workers to generate sanctioned revenue

The complaint describes a deliberate strategy by North Korea to embed IT workers inside legitimate companies, often in software development, smart contract engineering, and blockchain infrastructure roles. These individuals operated under false identities and used virtual private networks, stolen or forged identity documents, and obfuscation techniques to conceal their North Korean origin. Employers, unaware of the deception, paid these workers in stablecoins and other digital assets.

Once paid, the IT workers did not retain the earnings. Instead, they transferred the funds through layers of self-custodied wallets, centralized exchanges, and alternate chains before the assets were funneled to the North Korean regime. The scheme relied on fragmentation of transfers, use of privacy-enhancing technologies, and eventual conversion to fiat currency through over-the-counter brokers.

Among the entities receiving the laundered funds were Sim Hyon Sop, a representative of North Korea’s sanctioned Foreign Trade Bank, and Kim Sang Man, CEO of Chinyong, an IT company subordinate to North Korea’s Ministry of Defense. Both individuals were designated by the US Treasury’s Office of Foreign Assets Control for their role in financing prohibited activities.

Sim’s wallet, now frozen, received more than USD 24 million in cryptocurrency from August 2021 to March 2023. Most of these funds were traced back to Kim’s accounts, which were opened using forged Russian identity documents and accessed from Korean-language devices operating from the UAE and Russia.

US companies and the unwitting employment of DPRK nationals

The complaint identifies multiple examples where US-based companies unknowingly hired North Korean IT workers under fraudulent identities. In one case, a DeFi company employed two developers who submitted documents and resumes under the names “Joshua Palmer” and “Bram Chen.” These individuals were later linked to laundering networks involving Sim and Kim. The same pattern repeated at other US startups, including one developer operating under the alias “Alex Hong” who was paid for building decentralized applications.

Payments from these companies, made through centralized exchanges, were directed to self-hosted wallets controlled by the DPRK operatives. From there, the funds were moved through a network of IT Worker Consolidation Addresses, then transferred to accounts registered under aliases with Russian and Malaysian documentation, and eventually routed to Sim and Kim.

Investigators observed inconsistencies in login records, including access from IP addresses in Russia and the UAE, language settings in Korean, and devices reused across multiple fake personas. These artifacts supported the conclusion that the IT workers were acting in coordination and under centralized control.

Digital assets and infrastructure seized

DOJ is seeking the forfeiture of cryptocurrency assets including ETH, USDT, USDC, and altcoins, as well as high-value NFTs and Ethereum Name Service (ENS) domain names. Wallets associated with laundering flows were hosted across multiple exchanges and included unhosted addresses used to receive and pool fraud proceeds.

Some wallets were voluntarily frozen by Tether following requests by US law enforcement. Others were seized pursuant to federal seizure warrants executed in 2022 and 2023. Investigators traced over 84 exchange accounts tied to the laundering network, including those set up using false KYC documents. In many cases, the same devices were used across multiple platforms, linking activity to DPRK actors despite attempts at anonymity.

Role of Sim and Kim in laundering operations

Sim and Kim functioned as central clearinghouses for the illicit proceeds. Sim, a North Korean official, operated out of Dubai and maintained a self-hosted wallet that received laundered funds from dozens of sources. Kim, operating from Vladivostok, Russia, managed two accounts used to collect and re-distribute proceeds to Sim and to other wallets connected to DPRK-controlled infrastructure.

Sim’s wallet activity, which involved the movement of large sums of USDT and USDC, reflected attempts to obscure source and ownership before transferring funds back to the North Korean government. A substantial portion of Sim’s wallet balance was later transferred to an over-the-counter trader based in the UAE, who was sanctioned by OFAC in December 2024 for converting illicit crypto proceeds into fiat currency.

TRM insights: The North Korea playbook

TRM Labs has closely tracked the evolution of North Korea’s illicit use of cryptocurrency and digital assets. The DPRK cyber apparatus, including groups such as Lazarus, has transformed into a state-backed machine for financial theft and cross-border laundering. Over the past eight years, North Korea is believed to have stolen approximately five billion US dollars in cryptocurrency, making it the most prolific nation-state crypto threat actor.

A significant portion of these funds originated from exchange hacks, including the USD 1.5 billion Bybit exploit on February 21, 2025, attributed to the Lazarus Group. But increasingly, North Korea has shifted to operations involving legitimate employment through deception. The use of IT workers as vectors for revenue generation has grown, accounting for a rising share of the regime’s crypto intake.

In typical laundering operations observed by TRM, North Korean wallets begin by peeling off funds into smaller, harder-to-trace transactions. These are routed through OTC brokers, unregistered exchanges, or platforms with low compliance thresholds. Funds are eventually converted into fiat currency or stored in long-term cold wallets, effectively exiting the blockchain ecosystem while maintaining value.

In addition to traditional thefts, DPRK has scaled its deployment of remote IT workers posing as freelance developers or engineers. These individuals secure positions at Western firms and route their earnings directly to regime-controlled wallets. In 2022, the US government issued a joint advisory alerting the private sector to the national security risks posed by this tactic. That guidance was updated in 2023 and 2024, and reflects a growing consensus that IT worker fraud is not only a sanctions evasion strategy but also a material source of funding for prohibited weapons programs.

Legal basis and ongoing enforcement

The DOJ is proceeding under 18 U.S.C. § 981(a)(1)(A) and (C), alleging violations of wire fraud statutes, the International Emergency Economic Powers Act (IEEPA), and US money laundering laws. The assets targeted for forfeiture span multiple blockchains and platforms, and the government has demonstrated tracing back to specific laundering flows and sanctioned entities.

FAQ: North Korea’s use of fake IT workers and crypto laundering networks

What are North Korean IT worker campaigns, and how do they function?

These campaigns involve DPRK nationals securing remote work under false identities — often as developers or engineers at blockchain and fintech firms. Using VPNs, forged documents, and stolen identities, these workers are paid in digital assets like USDT or USDC. They don’t retain their earnings but instead route them through laundering networks that ultimately benefit sanctioned entities linked to North Korea’s Ministry of Defense and Foreign Trade Bank.

How are these campaigns connected to crypto laundering?

Earnings from IT work are laundered through a web of centralized exchanges, self-hosted wallets, and privacy tools. Funds are frequently consolidated at known DPRK-linked addresses before being transferred to OTC brokers or stored in long-term wallets. The laundering process aims to obscure both the source and destination of funds, making it harder to identify their ultimate use.

Who are the key actors identified in this laundering network?

Two central figures are Sim Hyon Sop and Kim Sang Man. Sim is a North Korean official based in Dubai, and Kim is the CEO of Chinyong, an IT firm subordinate to North Korea’s Ministry of Defense. Both individuals have been designated by OFAC. Together, they helped manage wallets that received and redistributed millions in illicit crypto proceeds from IT worker networks and hacks.

How much cryptocurrency is North Korea estimated to have stolen?

TRM assesses that North Korea has stolen approximately USD 5 billion in crypto over the past eight years. While large-scale hacks (like the USD 1.5 billion Bybit exploit in February 2025) account for much of this volume, earnings from fake IT worker campaigns are playing an increasingly significant role in the regime’s crypto revenue stream.

What actions are being taken by US authorities?

In June 2025, the US Department of Justice filed a civil forfeiture complaint targeting more than USD 7.7 million in digital assets tied to North Korean laundering activity. The case — built through collaboration between the DOJ, FBI, IRS-CI, and international partners — highlights how law enforcement is adapting to the DPRK’s evolving tactics and continuing to disrupt crypto-based sanctions evasion.

This is some text inside of a div block.
Subscribe and stay up to date with our insights
arrow right
March 4, 2025

Bybit Hack Update: North Korea Moves to Next Stage of Laundering

arrow right
June 12, 2023

TRM Talks: The North Korea Threat

arrow right
February 27, 2025

The Bybit Hack: Following North Korea’s Largest Exploit

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No items found.
Illustration of a financial institution icon and a compliance document with checkboxes, symbolizing regulatory due diligence and financial compliance in the digital asset ecosystem.
GUIDE
Learn best practices for evaluating the legal, operational, and financial integrity of crypto entities before engagement
Get the guide →
A judge's gavel rests beside a stack of gold-colored cryptocurrency tokens, including Bitcoin, Dogecoin, Ethereum, and others, symbolizing the intersection of digital assets and regulatory or legal oversight.
REGULATORY ACTION TRACKER
Stay updated on the latest crypto-linked regulatory actions available in the public domain
Check it out →
Screenshot of the splash page used by law enforcement agencies following the takedown of Garantex, with bold red lettering reading, "This domain has been seized," along with the logos of various international law enforcement agencies involved in the action.
BLOG
Learn more about the global law enforcement operation that took down Garantex
Read the post →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT