DOJ moves to seize $7.74M in crypto linked to North Korean IT worker scam

US seeks to seize $7.74M in crypto linked to North Korean fake IT worker schemes, per a new DOJ forfeiture complaint.

The DOJ filed a civil forfeiture complaint for $7.74M in crypto tied to North Korean fake IT worker schemes linked to the indictment of North Korean Foreign Trade Bank (FTB) representative Sim Hyon Sop.

The frozen funds include cryptocurrency, NFTs, and other digital assets.

“The Department of Justice filed a civil forfeiture complaint today in the U.S. District Court for the District of Columbia alleging that North Korean information technology (IT) workers obtained illegal employment and amassed millions in cryptocurrency for the benefit of the North Korean government, all as a means of evading U.S. sanctions placed on North Korea.” reads the press release published by DoJ. “The funds were initially restrained in connection with an April 2023 indictment against Sim Hyon Sop (Sim), a North Korean Foreign Trade Bank (FTB) representative who was allegedly conspiring with the IT workers. While the North Koreans were attempting to launder those ill-gotten gains, the U.S. government was able to freeze and seize over $7.74 million tied to the scheme.”

The DOJ complaint reveals that North Korea funds its priorities by illegally obtaining cryptocurrency, partly through IT workers secretly deployed abroad, including in China and Russia. These workers land remote jobs, often with blockchain firms, by using fake IDs and deceptive tactics to hide their true identities and locations. Unaware of the scheme, employers pay them in stablecoins like USDC and USDT, unknowingly fueling North Korea’s revenue stream.

North Korean IT workers allegedly laundered illicit crypto using fake identities, small transfers, chain hopping, NFT purchases, and used U.S. accounts to hide their origins. Once cleaned, the funds were funneled back to the regime, sometimes via Sim Hyon Sop and Kim Sang Man, CEO of Chinyong, a firm tied to North Korea’s Ministry of Defense and sanctioned by the U.S. since 2017.

“For years, North Korea has exploited global remote IT contracting and cryptocurrency ecosystems to evade U.S. sanctions and bankroll its weapons programs,” said Sue J. Bai, Head of the Justice Department’s National Security Division. “Today’s multimillion-dollar forfeiture action reflects the Department’s strategic focus on disrupting these illicit revenue schemes. We will continue to use every legal tool available to cut off the financial lifelines that sustain the DPRK and its destabilizing agenda.”

In May 2024, the Justice Department unsealed charges against an Arizona woman, a Ukrainian man, and three unidentified foreign nationals accused of aiding overseas IT workers, pretending to be U.S. citizens, to infiltrate hundreds of firms in remote IT positions. North Korea used this scheme to dispatch thousands of skilled IT workers globally, using stolen U.S. identities to infiltrate companies and raise revenue. The schemes defrauded over 300 U.S. companies, utilizing U.S. payment platforms, online job sites, and proxy computers. According to the DoJ, this is the largest scheme of this kind ever charged by US authorities.

The operations coordinated by the North Korean government took place between October 2020 and October 2023. Intelligence experts speculate the campaign was aimed at financing the government’s illicit nuclear program.

The defendant Christina Marie Chapman was arrested in May in Litchfield Park, Arizona, while Oleksandr Didenko was arrested in Poland a few days before. US authorities are requesting the extradition to the United States of Didenko.

Chapman faces charges of conspiracy to defraud the United States, wire fraud, bank fraud, aggravated identity theft, identity fraud, money laundering, operating an unlicensed money transmitting business, and unlawful employment of aliens.

The FBI also issued an advisory warning of the public and private sector of the threat posed to U.S. businesses by Information Technology (IT) workers from the Democratic People’s Republic of Korea (North Korea). 

In August, the U.S. Justice Department arrested Matthew Isaac Knoot (38) from Nashville (Tennessee) for operating a “laptop farm” that facilitated North Korea-linked IT workers in obtaining remote jobs with American companies.

The man was arrested for his efforts to generate revenue for North Korea’s illicit weapons program, which includes weapons of mass destruction (WMD).

US authorities accused Knoot of aiding North Korean IT workers in using a stolen identity to impersonate a U.S. citizen, hosting company laptops at his home, unauthorized software installation to facilitate access, and laundering payments for the remote work through accounts linked to North Korean and Chinese individuals.

“According to court documents, Knoot participated in a scheme to obtain remote employment with American and British companies for foreign information technology (IT) workers, who were actually North Korean actors.” reads the press release published by DoJ. “Knoot allegedly assisted them in using a stolen identity to pose as a U.S. citizen; hosted company laptops at his residences; downloaded and installed software without authorization on such laptops to facilitate access and perpetuate the deception; and conspired to launder payments for the remote IT work, including to accounts tied to North Korean and Chinese actors.”

North Korea has dispatched skilled IT workers abroad, mainly to China and Russia, to deceive global businesses into hiring them as freelance IT workers, generating revenue for its weapons programs. These IT workers use fake identities and online tactics to mask their true origins. According to a May 2022 advisory, they can earn up to $300,000 annually each.

An indictment in Tennessee reveals that Knoot aided North Korean IT workers by facilitating remote IT jobs at U.S. companies under the false pretense that they were U.S.-based. Knoot operated a “laptop farm” from July 2022 to August 2023, where he received laptops shipped to a fake identity, installed unauthorized software, and allowed North Korean workers in China to access U.S. company networks. Knoot was paid monthly by a foreign facilitator named Yang Di. His operations were raided in August 2023.

According to court documents, Knoot ran a “laptop farm” at his Nashville residences between approximately July 2022 and August 2023. The victim companies shipped laptops addressed to “Andrew M.” to Knoot’s residences. Following receipt of the laptops, and without authorization, Knoot logged on to the laptops, downloaded and installed unauthorized remote desktop applications, and accessed the victim companies’ networks, causing damage to the computers. The remote desktop applications enabled the North Korean IT workers to work from locations in China, while appearing to the victim companies that “Andrew M.” was working from Knoot’s residences in Nashville. For his participation in the scheme, Knoot was paid a monthly fee for his services by a foreign-based facilitator who went by the name Yang Di. A court-authorized search of Knoot’s laptop farm was executed in early August 2023.

It has been estimated that Knoot and his conspirators’ caused the targeted companies more than $500,000 in costs associated with auditing and remediating their devices, systems, and networks. Knoot, Di, and others conspired to commit money laundering by conducting financial transactions to receive payments from the victim companies, transfer the funds to Knoot and to accounts outside of the United States, in an attempt both to promote their unlawful activity and to hide that transferred funds were the proceeds of it.  The non-U.S. accounts include accounts associated with North Korean and Chinese actors.

The victims companies believed they were hiring a legitimate U.S. worker and shipped laptops to Knoot’s home. Then Knoot installed unauthorized software on the laptops to allow the North Korean IT workers to remotely login from locations in China.

Knoot is charged with conspiracy to cause damage to protected computers, conspiracy to launder monetary instruments, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity theft and conspiracy to cause the unlawful employment of aliens.” concludes DoJ. “If convicted, Knoot faces a maximum penalty of 20 years in prison, including a mandatory minimum of two years in prison on the aggravated identity theft count.””

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)