DOJ Moves to Seize $7.7M in Crypto Linked to North Korean IT Infiltration Scheme

The U.S. Department of Justice is cracking down on a sophisticated North Korean operation that allegedly funneled millions in cryptocurrency to the regime through fake IT workers embedded in blockchain and tech firms around the world. In a forfeiture action filed June 5, the DOJ is seeking to seize more than $7.74 million in digital assets tied to the scheme—part of an escalating effort to disrupt North Korea’s cyber-financing networks.

The funds in question were initially frozen in April 2023 following the indictment of Sim Hyon Sop, a North Korean Foreign Trade Bank representative based in China. Sim is accused of coordinating with North Korean nationals posing as remote IT workers to secure crypto-based employment and launder earnings back to Pyongyang.

According to the DOJ’s complaint, filed in federal court in Washington D.C., the assets include Bitcoin, stablecoins, NFTs, and Ethereum Name Service domains. U.S. officials say the crypto was moved through a web of tactics—including chain-hopping, fake identities, and token swaps—all designed to evade international sanctions.

“Sanctions are in place against North Korea for a reason,” said U.S. Attorney Jeanine Ferris Pirro. “We will halt your progress, strike back, and take hold of any proceeds you obtained illegally.”

This move is part of the DPRK RevGen: Domestic Enabler Initiative, a DOJ program launched in March 2024 to dismantle the financial engines driving North Korea’s weapons programs. Cybercrime has become a key pillar of DPRK’s fundraising strategy, with operatives stealing more than $1.6 billion from crypto-related attacks in 2024 alone, according to U.S. intelligence.

The operatives often use stolen or fabricated identities to land jobs in crypto and tech companies, requesting payment in stablecoins like USDC or Tether to hide their real locations. These roles not only generate income for the regime, but sometimes grant access to sensitive infrastructure within DeFi and blockchain firms.

Laundered earnings are routed through complex webs of small transactions, fake accounts, cross-chain swaps, and NFT purchases—sometimes passing through intermediaries like Chinyong, a firm linked to North Korea’s Ministry of Defense.

North Korea’s tactics are also evolving. According to an April 2025 report from Google’s Threat Intelligence Group, DPRK operatives have shifted their focus toward European blockchain startups after increased scrutiny in the U.S. Some posed as developers building Solana smart contracts or launching decentralized job marketplaces in the UK, using layers of fake references to pass hiring checks.

Just last month, crypto exchange Kraken flagged and blocked one such applicant during a hiring process. Investigators later uncovered ties to a broader network of infiltrators already embedded in other crypto firms.