U.S. DoJ Seizes $7.7M in Crypto and NFTs Tied to North Korean IT Worker Scheme

The U.S. Department of Justice (DoJ) has filed a civil forfeiture complaint targeting more than $7.74 million in cryptocurrency, non-fungible tokens (NFTs), and digital assets linked to a covert North Korean operation involving fraudulent IT workers. The funds are believed to support Pyongyang’s weapons programs in violation of U.S. and U.N. sanctions.

North Korea’s Global Freelance Scheme

According to the DoJ, North Korea has exploited remote IT employment and the cryptocurrency ecosystem to funnel money into its strategic programs. IT workers used fake identities, aided by tools like OpenAI’s ChatGPT, to secure jobs at U.S.-based crypto firms and launder earnings through a network of facilitators.

The operation is tied to Sim Hyon-Sop, a sanctioned official of North Korea’s Foreign Trade Bank (FTB), and Kim Sang Man, CEO of Chinyong (a front company), who coordinated fund transfers using forged documents and overseas crypto wallets. Analysis by TRM Labs found Sim’s wallet received over $24 million in crypto between August 2021 and March 2023.

From Laptop Farms to Insider Access

The scheme’s infrastructure included so-called laptop farms, where facilitators operated multiple devices impersonating different IT workers. One such facilitator, Christina Marie Chapman, pleaded guilty in February 2025. She was drawn into the scam through a deceptive LinkedIn message and later helped manage remote access for North Korean operatives.

Cybersecurity firm DTEX describes two types of North Korean IT workers:

• R-ITWs (Revenue IT Workers): Focused on generating revenue through freelance contracts.

• M-ITWs (Malicious IT Workers): Engage in cyberattacks, intellectual property theft, and server compromise.

DTEX also warned of an increasing shift from laptop farms to Bring Your Own Device (BYOD) exploitation, using personal machines within corporate environments to maintain stealth.

Covert Access and Remote Control

Research from Sygnia revealed that the IT workers maintained remote access using custom-built remote control systems over Zoom. This included advanced configurations to disable visual or audio indicators and the use of WebSocket-based C2 channels for stealthy command execution.

Meanwhile, Flashpoint identified fake front companies like Helix US and Cubix Tech US used to provide references for job applications. Malware-infected systems linked to these domains exposed credential theft, browser history, and Korean-English translation queries tied to falsified employment documentation.

Looking Ahead: Threat to Financial Systems

Experts warn the threat will likely shift to traditional finance as blockchain and Web3 tools become integrated into mainstream banking. North Korean actors are expected to target these institutions with similar tactics.

The DoJ’s action marks a significant step in disrupting a well-organized, state-backed financial fraud network designed to bypass sanctions and generate funding for North Korea’s strategic ambitions.