As state-sponsored cyber-crime and digital financial networks increasingly converge, the U.S. Department of Justice (DOJ) is taking action to disrupt what officials say is an ongoing cryptocurrency-laundering scheme linked to North Korea’s hacking operations.
On June 5, 2025, the Justice Department filed a civil forfeiture complaint to recover approximately $7.74 million in cryptocurrency allegedly laundered through U.S. financial infrastructure by actors working on behalf of the Democratic People’s Republic of Korea (DPRK). According to the complaint, the funds were stolen in cyber-attacks attributed to DPRK-affiliated hackers and routed through U.S.-based exchanges using deceptive tactics.
The complaint is a result of a multi-agency investigation coordinated by the FBI, IRS Criminal Investigation (IRS-CI), and Homeland Security Investigations (HSI), using blockchain tracing and financial forensics to follow the flow of digital assets across platforms.
The civil complaint is associated with the April 24, 2023 indictment of North Korean national Sim Hyon Sop, who conspired with three over-the-counter (OTC) traders “to launder stolen cryptocurrency and use the funds to purchase goods through Hong-Kong based front companies for the benefit of North Korea.”
A second related indictment alleged that Sim conspired with North Korean I.T. workers “to launder proceeds of IT development work.” The third indictment separately named Wu HuiHui, a Chinese national who was charged with “operating an unlicensed money transmitting business.” Wu allegedly “operated as an OTC trader on a U.S.-based virtual currency exchange without a license and conducted over 1,500 trades for U.S. customers, totaling over $800,000.”
According to the DOJ’s April 2023 press release,
The IT workers gained employment at U.S. crypto companies using fake identities and then laundered their ill-gotten gains through Sim for the benefit of the North Korean regime…According to court documents, North Koreans apply for jobs in remote IT development work without disclosing that they are North Korean in order to circumvent sanctions.
These IT workers bypass security and due diligence checks by using fake, or fraudulently obtained, identity documents and other obfuscation strategies to hide their true location from online payment facilitators and hiring platforms. The IT workers request payment for their services in virtual currency and then send their earnings back to North Korea via, among other methods, Foreign Trade Bank (FTB) representatives like Sim.
The case highlights the way bad actors can target and exploit virtual assets “to facilitate payments and profits” to commit fraud. These indictments are part of a broader U.S. strategy to block the DPRK’s access to the global financial system through cyber-enabled theft and sanctions evasion. According to the press release, North Korean hackers have been executing “virtual currency-related thefts to generate revenue for the regime” since 2017.
DPRK’s Cyber Program and the Lazarus Group
The cryptocurrency involved in the case is allegedly tied to intrusions carried out by the Lazarus Group, a hacking organization believed to be controlled by North Korea’s Reconnaissance General Bureau. The group is responsible for numerous cyber-attacks aimed at acquiring funds for the regime.
Between 2009 and 2012, the Lazurus Group, also known as APT38, was allegedly linked to repeated, less sophisticated denial-of-service (DDoS) attack techniques known as Operation Troy targeting the South Korean government. However, in 2014, the group’s sophisticated attack on Sony Pictures showed that it had evolved to employ more advanced techniques and tools.
In 2016, Lazurus executed a major bank heist, successfully stealing $81 million from the Bangladesh Bank. Lazurus went on to steal approximately $60 million from the Far Eastern Bank of Taiwan. The organization continues to evolve its tactics, using “sophisticated malware, spear-phishing, watering hole attacks, and exploiting zero-day vulnerabilities,” making the group one of the more significant threat actors on the cybersecurity front, according to reporting from radware.com.
Other major incidents attributed to the Lazarus Group include
In 2022, 2023, 2024, and 2025, the Department of Treasury, the DOJ, and the Department of State published a joint advisory detailing how DPRK I.T. workers operate. The advisory identifies “red flag indicators and due diligence measures to help companies avoid hiring DPRK freelance developers and to help freelance and digital payment platforms identify DPRK IT workers abusing their services.”
According to the advisory, one of the ways DPRK I.T. workers obtain I.T. development contracts is by exploiting social media platforms and payment platforms. The I.T. workers are involved in a wide range of sectors, including cryptocurrency, sports, health and fitness, and lifestyle and entertainment. They often “misrepresent themselves using virtual private networks (VPNs), virtual private servers (VPSs), and purchased third country IP addresses, proxy accounts and falsified or stolen ids” to disguise their country of origin. The I.T. workers also often gain access as contractors, in many cases “enabling malicious cyber intrusions by other DPRK actors.”
Per the advisory, red flags include
U.S. employers should consider as critical parts of their due diligence the use of video interviews, proper verification of identifying documents, pre-employment background checks, and avoiding payments in cryptocurrency and instead requiring verification of banking information and cross-referencing that with other identifying documents. Employers should also look for cross-platform profile consistency regarding misspellings of content, “claimed location,” payment accounts, and hours of work and should be “suspicious if a developer cannot receive items at the address on [its] identification documentation.”
Image via Freepik.