How North Korean IT Workers Use Crypto to Launder Billions Amid Global Sanctions
Remote Worker Verification Risk Calculator
Assess Your Hiring Risk
Based on the article's prevention guidelines, assess your company's vulnerability to North Korean IT workers laundering crypto funds.
Risk Assessment Results
On February 12, 2025, the crypto exchange Bybit lost $1.4 billion in a single hack. But this wasn’t the work of a lone hacker or a shadowy syndicate. It was the latest move in a state-run operation orchestrated by North Korea’s Ministry of State Security - using thousands of remote IT workers scattered across Asia, Africa, and Eastern Europe. These aren’t criminals in hoodies. They’re people with LinkedIn profiles, Zoom calls, and pay stubs. And they’re laundering billions in cryptocurrency to fund weapons of mass destruction.
How the Scheme Works
North Korea doesn’t rely on flashy hacks alone anymore. Instead, it runs a quiet, scalable fraud machine: hiring real people to do real IT work - while secretly being agents of the regime. These workers apply for remote software development, cybersecurity, and data analysis jobs through staffing agencies or freelance platforms. They use fake identities, stolen passports, and AI-generated faces to pass background checks. Some even use voice-altering software to mimic native English speakers during interviews. Once hired, they request payment in USDC or USDT, the two most popular stablecoins. Why? Because they’re pegged to the U.S. dollar, easy to move across borders, and don’t swing wildly in value like Bitcoin. They get paid around $5,000 per month - a standard salary for junior developers in Southeast Asia. But instead of cashing out locally, they funnel the crypto through a chain of wallets, mixing services, and OTC traders in Russia and the UAE. The money doesn’t vanish. It gets converted into cash through shell companies, then funneled into North Korea’s military budget. According to the Multilateral Sanctions Monitoring Team, this method generated over $1.65 billion in just nine months in 2025. That’s more than the entire GDP of some small nations.The Tools They Use
This isn’t amateur hour. North Korea’s cyber units have spent years perfecting their tools. They use AI deepfake software to fake video calls - making it look like the worker is in Canada or India while they’re actually in Pyongyang. One Canadian tech startup lost $280,000 after hiring a developer who appeared in Zoom meetings with perfect lighting, eye contact, and English fluency. Later, forensic analysis showed the video feed had been synthesized using GAN models trained on real Canadian employees. They also use multiple VPNs and proxy networks to mask their true location. Their IP addresses bounce between China, Thailand, and Kazakhstan - making it nearly impossible for companies to flag them as suspicious. Many of these workers have fake university degrees from non-existent institutions. One sanctioned entity, Chinyong Information Technology Cooperation Company, was found to be issuing credentials to over 1,200 operatives between 2022 and 2025. The laundering process is equally advanced. Funds move through dozens of wallets before being consolidated. Then they’re sent to known DPRK-linked addresses tied to sanctioned individuals like Kim Sang Man and Sim Hyon Sop. The U.S. Department of Justice has identified over 800 crypto addresses linked to this network. Some of these wallets even hold NFTs bought with stolen funds - later sold for cash through underground markets.
Why Companies Are Getting Hit
The global remote work boom created the perfect cover. Companies are desperate to cut costs. They hire freelancers from platforms like Upwork, Toptal, and Fiverr, often skipping background checks to speed up onboarding. North Korean operatives exploit this. They bid 20-30% below market rate. They agree to start work immediately - no contract needed. They’re reliable. They meet deadlines. They don’t ask for raises. That’s the trap. By the time a company realizes something’s off, the crypto is already gone. The worker disappears. The emails stop. The Zoom account is deleted. And because cryptocurrency transactions are irreversible, there’s no chargeback. According to the Canadian Anti-Fraud Centre, businesses lose an average of $47,000 per incident. In 78% of cases, payment was made in crypto. And nearly 92% of the fraudulent applications contained forged educational documents. One U.S.-based AI startup hired three “developers” from what they thought was a Ukrainian agency. All three were North Korean. Over six months, they stole $900,000 in ETH and USDT before vanishing.How Governments Are Fighting Back
The U.S., South Korea, Japan, and the EU have coordinated sanctions since 2024. The Treasury Department’s Office of Foreign Assets Control (OFAC) has designated over 30 entities linked to this scheme, including banks in China, shell companies in the UAE, and OTC traders like a man known only as “Lu.” In December 2024, OFAC sanctioned Lu for converting $120 million in crypto into cash for North Korea. The FBI and DOJ have launched civil forfeiture cases. In June 2025, they seized $7.7 million in crypto, NFTs, and digital assets tied to fake identities like “Joshua Palmer” and “Alex Hong.” The Financial Action Task Force (FATF) updated its guidance in June 2025, urging virtual asset service providers to monitor for “consistent small-value payments to remote workers with mismatched geolocation data.” Even blockchain analytics firms like Chainalysis have built new detection models. Their system now flags wallet clusters that receive monthly payments of $4,500-$5,500, sent from multiple countries, then routed through Russian IP addresses. The system is 89% accurate in identifying DPRK-linked wallets - and it’s still improving.
What Businesses Can Do
If you’re hiring remote IT workers, here’s what actually works:- Never pay in crypto - insist on bank transfers or PayPal. Crypto payments are a red flag.
- Verify education and employment history directly - call the university. Email the former employer. DPRK operatives use fake schools with no websites or phone numbers.
- Use multi-platform video interviews - conduct one call on Zoom, another on Microsoft Teams, and a third on WhatsApp. AI deepfakes often fail to match facial movements across platforms.
- Check for inconsistent IP logs - if someone claims to be in Berlin but logs in from Bangkok, then Jakarta, then Moscow - that’s not a freelancer. That’s a state-sponsored operation.
- Require signed contracts before payment - DPRK operatives avoid contracts because they can’t be traced back to the regime.
The Bigger Picture
This isn’t just about money. It’s about survival. North Korea’s economy is crushed under sanctions. Its nuclear program can’t run without foreign currency. Crypto laundering is their lifeline. The $1.65 billion they stole in 2025 didn’t go to luxury cars or private jets. It went to copper for missile casings, lithium for batteries, and precision machining tools for warheads. The regime has adapted. When exchanges cracked down on large hacks, they shifted to steady, small payments. When banks blocked wire transfers, they moved to OTC traders. When AI detection improved, they upgraded their deepfake software. They’re not going away. But they’re not unstoppable. International cooperation is growing. Blockchain analysis is getting smarter. Companies are learning. And every time a business refuses to pay in crypto or verifies a worker’s identity, they’re cutting off a line of supply to a regime that threatens global security. This isn’t a tech problem. It’s a human one. The real threat isn’t the code. It’s the belief that remote work means you can’t know who you’re hiring. You can. And you must.Are North Korean IT workers really using AI deepfakes to fake video interviews?
Yes. Multiple verified cases show DPRK operatives using AI-generated faces and voices to pass video interviews. In one case, a Canadian tech firm hired a developer who appeared in Zoom calls for six months - the video feed looked flawless. Forensic analysis later confirmed the video was synthesized using GAN models trained on real employees. The worker never existed outside the screen. The RCMP and U.S. Treasury both confirmed this technique is now standard practice.
Why do North Korean workers ask for payment in stablecoins like USDC or USDT?
Stablecoins are preferred because they’re pegged to the U.S. dollar, making them stable and easy to convert into cash. Unlike Bitcoin or Ethereum, their value doesn’t swing, so the regime knows exactly how much they’re getting. They’re also widely accepted by over-the-counter (OTC) traders in Russia and the UAE - the key hubs for laundering. The U.S. Treasury specifically cited USDC and USDT in its June 2025 sanctions announcement as the preferred payment method for these operations.
Can blockchain analysis detect these laundering schemes?
Yes. Blockchain analytics firms like Chainalysis and Elliptic have built detection models that identify patterns unique to DPRK operations: consistent monthly payments of $4,500-$5,500, fragmented transfers across dozens of wallets, and final consolidation through Russian or UAE-based addresses. The U.S. Treasury’s FinCEN is launching a prototype system in Q1 2026 that can identify DPRK-linked wallets with 89% accuracy. These tools are already helping law enforcement seize millions in crypto.
How much money have North Korean IT workers stolen in total?
From January to September 2025 alone, the Multilateral Sanctions Monitoring Team estimated these schemes generated $1.65 billion. That includes the $1.4 billion Bybit heist and hundreds of smaller, steady payments from remote jobs. Since 2017, total proceeds are estimated at over $4 billion. In 2024, crypto gains reached $1.2 billion, making this the most profitable method of sanctions evasion for North Korea - surpassing even ransomware attacks.
What should companies do if they suspect they’ve hired a North Korean IT worker?
Stop all payments immediately. Preserve all communication logs, wallet addresses, and IP data. Report the incident to your country’s financial intelligence unit - in the U.S., that’s FinCEN. If you paid in crypto, contact a blockchain forensic firm like Chainalysis to trace the funds. Do not confront the worker - they may be armed or connected to state actors. Treat this as a national security incident, not just a fraud case.
Gavin Jones
Wow. This is terrifying but also fascinating. I never thought about how remote work could be weaponized like this. The fact that these people have LinkedIn profiles and Zoom calls... it’s like dystopian realism. We’re all just trying to get by, but someone’s out there building missiles with our payroll funds. I hope companies start taking this seriously.
Mauricio Picirillo
Man, I hired a guy from Ukraine last year for $4k/month in USDT. He was always on time, delivered great code, never complained. Now I’m sweating bullets thinking he might’ve been a DPRK bot. 😅
Liz Watson
Oh please. You’re all acting like this is news. The CIA’s been warning about this since 2020. The real tragedy? You people still pay in crypto. You’re not victims-you’re enablers. Get a bank account. Learn to verify. Or stop pretending you’re tech-savvy.
Rachel Anderson
I just cried reading this. Not because of the money. Not because of the hacks. But because these people-these REAL people-are trapped. They’re not evil. They’re just... tools. Like chess pieces in a game they didn’t choose. And we’re the ones sitting in our cozy homes judging them while they code under surveillance. It’s horrifying.
Hamish Britton
Been in IT for 15 years. I’ve seen fake degrees, sketchy IPs, weird payment requests. But this? This is next level. I started requiring two video interviews on different platforms after a guy from ‘Poland’ logged in from 5 countries in one day. Took me 3 months to realize he was never in Poland. Now I don’t even hire without a live signature on contract. Worth the delay.
Robert Astel
You know what this really shows? That capitalism is the real villain here. Companies want cheap labor so bad they ignore red flags. The system rewards speed over safety, profit over principle. And now the DPRK is just exploiting the cracks we made ourselves. We built the ladder, they climbed it. Now we’re surprised they’re here? We’re all complicit in a way. We’re the ones who made remote work a free-for-all. And now we’re paying for it-with our security, our ethics, our future. It’s poetic. And tragic. And kind of beautiful in a fucked-up way.
Kevin Hayes
The sophistication of this operation cannot be overstated. The use of stablecoins as a laundering vector is not only economically rational-it is strategically brilliant. The regime has effectively outsourced its financial warfare to a global gig economy. This is not cybercrime. This is statecraft. And until we treat it as such-with coordinated international legal, financial, and technological countermeasures-we are merely rearranging deck chairs on the Titanic.
Katherine Wagner
So... the deepfakes are real? Like... really real? I mean... what if I’m talking to one right now? 😬