United States authorities have launched a forfeiture action to seize millions in crypto funneled to North Korea through a global network of fake IT workers embedded in blockchain firms.
According to a June 5 statement from the U.S. Department of Justice (DOJ), the agency is seeking to confiscate over $7.74 million in digital assets allegedly earned through illicit employment and laundering schemes designed to evade U.S. sanctions.
The funds were initially frozen in April 2023 following the indictment of Sim Hyon Sop, a North Korean Foreign Trade Bank representative based in China, accused of conspiring with DPRK IT workers to funnel crypto earnings back to the regime.
Authorities allege these funds were part of a coordinated laundering effort that included chain hopping, token swaps, and fictitious identities to obscure their origin.
In its complaint filed in a Washington D.C. federal court, the DOJ has targeted multiple forms of digital property, including Bitcoin, stablecoins, non-fungible tokens, and Ethereum Name Service domains.
Officials allege these operations were part of a broader effort by North Korea to sidestep international sanctions and fund its weapons programme through cyber-enabled revenue streams.
“Sanctions are in place against North Korea for a reason, and we will diligently investigate and prosecute anyone who tries to evade them. We will halt your progress, strike back, and take hold of any proceeds you obtained illegally,” U.S. Attorney Jeanine Ferris Pirro said in an accompanying statement.
With DPRK-linked hackers reportedly stealing over $1.6 billion from crypto firms in 2024 alone, U.S. officials say more aggressive action is required.
The DOJ’s latest Action is part of the broader “DPRK RevGen: Domestic Enabler Initiative,” launched in March 2024 to disrupt North Korea’s revenue-generation networks.
A growing threat to crypto
North Korean operatives have been linked to some of the largest cryptocurrency heists in recent years, with malicious IT workers increasingly playing a central role in breaching blockchain firms from the inside.
Often operating under stolen or fabricated identities, these individuals secure remote jobs at crypto and tech companies, where they typically request payment in stablecoins like USDC and Tether, a tactic believed to help mask their true locations.
Once employed, these positions provide a financial lifeline to the regime and, in some cases, access that can later be exploited.
Illicit earnings from these roles are often funneled back to the regime through a web of laundering techniques, including fake accounts, small-value transfers, cross-chain swaps, and NFT purchases, before being rerouted, sometimes via sanctioned intermediaries like Chinyong, a company tied to North Korea’s Ministry of Defense.
In recent years, North Korean IT workers have continued to expand their operations, adapting their tactics and shifting targets as enforcement efforts intensify.
According to an April 2025 report from Google’s Threat Intelligence Group, North Korean IT operatives were increasingly targeting European blockchain firms after heightened scrutiny in the United States.
The report detailed cases of DPRK workers building Solana smart contracts and job marketplaces in the UK, often using elaborate webs of fake references and identities to pass recruitment checks.
Last month, cryptocurrency trading platform Kraken intercepted one such attempt when a job applicant raised red flags during the recruitment process. Further investigation revealed the candidate was a North Korean operative linked to a broader network of infiltrators who had already secured roles at other crypto firms.
