How North Korean IT Workers Use Crypto to Launder Billions

Nov, 26 2025
14 Comments
Cryptocurrency,

On February 12, 2025, the crypto exchange Bybit lost $1.4 billion in a single hack. But this wasn’t the work of a lone hacker or a shadowy gang. It was the latest move in a state-run operation by North Korea - one that’s been quietly siphoning billions from global businesses through something far more insidious than a breach: remote IT jobs.

North Korea doesn’t need to break into your system. It just needs you to hire someone.

The Fake Remote Worker

Imagine you’re a startup in Toronto trying to cut costs. You post a job for a senior backend developer. A candidate applies from "Kyiv" with a polished resume, flawless English, and a portfolio that looks legit. They ask for payment in USDT. Their rate? 30% below market. They don’t need a contract. They start next week.

That person isn’t from Kyiv. They’re likely sitting in a Pyongyang basement, wearing a fake ID, using AI to mimic a voice and face during Zoom calls, and logging in from a network of fake IP addresses across Russia and the UAE. Their real employer? The North Korean government.

Since 2017, Pyongyang has systematically deployed thousands of IT workers overseas under false identities. These aren’t hackers breaking into banks. They’re employees - paid regular salaries, working standard hours, submitting bug reports, and collecting paychecks in cryptocurrency. And every dollar they earn? It’s fueling missiles and nuclear weapons.

How the Scheme Works

The operation is built on three pillars: deception, cryptocurrency, and obfuscation.

First, deception. North Korean operatives use stolen or forged documents to pose as developers from Eastern Europe, Southeast Asia, or Latin America. They fake university degrees, LinkedIn profiles, and work histories. Some even use AI-generated photos and voice clones to pass video interviews. Chainalysis found that 92% of verified DPRK applications contained falsified credentials.

Second, cryptocurrency. These workers almost always demand payment in stablecoins - USDC or USDT. Why? Because they’re pegged to the dollar, easy to transfer, and accepted by over-the-counter (OTC) traders who don’t ask questions. Once paid, the money moves through dozens of crypto wallets, fragmented across chains and mixed with other funds. This makes tracing nearly impossible without advanced blockchain analytics.

Third, obfuscation. The funds don’t go straight to Pyongyang. They flow through intermediaries in Russia, the UAE, and China. One key facilitator, a person known only as "Lu," was sanctioned by the U.S. Treasury in December 2024 for converting crypto into cash for the regime. The money eventually reaches senior operatives like Kim Sang Man and Sim Hyon Sop - both already on international sanctions lists.

The result? A steady, low-risk income stream. Unlike the flashy $625 million heist from Harmony Bridge in 2022, this method generates smaller, regular payments - around $5,000 per worker per month. But with thousands of operatives, the total adds up fast. Between January and September 2025 alone, these schemes generated $1.65 billion, according to the Multilateral Sanctions Monitoring Team.

Why It’s So Hard to Stop

Traditional cybersecurity tools don’t catch this. There’s no malware. No phishing emails. No ransomware pop-up. The company isn’t hacked - it’s fooled.

The RCMP’s July 2025 advisory warned businesses about five red flags:

Requests for crypto-only payment
Multiple login locations across different countries in a single day
AI-generated deepfakes during video interviews
Refusal to sign contracts or provide references
Unrealistically low rates - often 20-30% below market

But even when companies spot these signs, it’s hard to act. Many don’t know how to verify a remote worker’s identity without an in-person meeting. And once crypto is sent, it’s gone. Recovering funds is almost impossible.

A Canadian tech firm lost $280,000 over six months to a North Korean operative who used AI to mimic a real developer during weekly calls. The worker disappeared after the final payment. No trace. No arrest. Just silence.

A Canadian company hiring a fake remote worker, with hidden crypto-to-weapons transformation in the background.

Who’s Behind It

This isn’t rogue actors. It’s a coordinated state program.

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) designated Chinyong Information Technology Cooperation Company in July 2025 as the main recruitment arm. It’s not a company you’d find on Google - it’s a front for North Korea’s military intelligence bureau. Other entities tied to the scheme include Shenyang Geumpungri Network Technology Co., Ltd and Korea Sinjin Trading Corporation, both sanctioned in July 2025.

The money isn’t just funding weapons. According to the MSMT’s October 2025 report, DPRK uses stablecoin proceeds to buy copper, rare earth metals, and other materials used in missile production. One transaction chain traced to a Chinese bank in July 2025 showed $2.1 million in crypto converted to copper ingots shipped to North Korea.

How Companies Can Protect Themselves

The good news? It’s possible to stop this.

The U.S. Treasury’s August 2025 analysis showed that companies using strict verification protocols reduced infiltration attempts by 63%. Here’s what works:

Never pay in crypto. Use bank transfers or regulated payment platforms like PayPal or Wise. If a candidate insists on crypto, walk away.
Verify identity with live, multi-platform video calls. Ask them to open a random website on their screen, read a sentence aloud, or show a physical ID. AI deepfakes can’t handle real-time, unpredictable prompts.
Check education and work history directly. Call the university. Email their former employer. DPRK operatives often list fake schools like "Pyongyang University of Computer Science" - which doesn’t exist.
Use blockchain monitoring tools. Services like Chainalysis or Elliptic can flag wallets linked to known DPRK addresses. Even if you’re not a crypto expert, your payroll provider can integrate these checks.
Require signed contracts before payment. DPRK workers avoid contracts because they can’t be held accountable.

Training HR and security teams takes 4-6 weeks. Ongoing monitoring adds 15-20 hours per week per remote worker. But compared to losing $280,000 - or worse, funding a nuclear program - it’s a small cost.

A cybersecurity analyst uncovering how crypto payments fund North Korean missiles through thousands of remote workers.

The Bigger Picture

North Korea’s IT worker scheme now accounts for 43% of all illicit crypto revenue generated by the regime - more than exchange hacks. With the global remote work market hitting $427 billion in 2025, there are more opportunities than ever for infiltration.

Governments are responding. The U.S. is offering up to $15 million for tips leading to arrests. The Financial Action Task Force (FATF) updated its guidelines in June 2025 to require VASPs (virtual asset service providers) to screen for DPRK-linked transactions. FinCEN is testing a new AI system for Q1 2026 that can detect DPRK wallet clusters with 89% accuracy.

But technology alone won’t fix this. The real solution is human vigilance. Every company that hires a remote worker is a potential entry point. Every time someone ignores a red flag, they’re helping North Korea build weapons.

What’s Next

The regime won’t stop. It’s too profitable. But its methods will evolve. We may see more use of NFTs, privacy coins like Monero, or even decentralized finance (DeFi) protocols to hide transactions. Some analysts predict a 25-30% drop in successful infiltrations by late 2026 - not because the threat is gone, but because defenses are getting smarter.

The lesson is clear: if you’re hiring remotely, you’re not just hiring a developer. You’re hiring a potential accomplice in a global crime syndicate.

Don’t assume someone’s innocent because they look professional. Don’t trust a resume just because it’s polished. And never, ever pay in crypto unless you’re absolutely certain of who you’re dealing with.

Because in this game, the most dangerous hackers aren’t the ones breaking in.

They’re the ones you invited in.

How do North Korean IT workers hide their identity?

They use stolen or forged documents, AI-generated voice and face deepfakes, and virtual private networks (VPNs) to mask their location. They often claim to be from countries like Ukraine, Vietnam, or Brazil, and use fake educational backgrounds and employment histories. Some even use AI tools to generate realistic LinkedIn profiles and portfolio websites.

Why do they ask for payment in stablecoins like USDT or USDC?

Stablecoins are pegged to the U.S. dollar, so their value doesn’t fluctuate. This makes them ideal for laundering - they can be easily transferred across borders and converted into cash through unregulated OTC traders without triggering bank alerts. Unlike Bitcoin, stablecoins are widely accepted by crypto-to-fiat services that don’t require strict KYC checks.

Can blockchain analysis detect these laundering schemes?

Yes. Tools from Chainalysis, Elliptic, and others can trace wallet clusters linked to known North Korean addresses. These wallets often show patterns like frequent small transfers, use of mixers, and movement through Russian or UAE-based addresses. The U.S. Treasury’s FinCEN is developing an AI system expected to identify DPRK-linked wallets with 89% accuracy by early 2026.

What should I do if I suspect I’ve hired a North Korean IT worker?

Stop all payments immediately. Do not confront them. Document everything - chat logs, video recordings, wallet addresses. Report the case to your local cybercrime unit and file a report with the U.S. Treasury’s OFAC or your country’s financial intelligence unit. If crypto was sent, contact a blockchain forensic firm to trace the funds. Do not attempt to recover the money yourself - it could compromise an investigation.

Are there any legitimate North Korean IT workers abroad?

No. All North Korean citizens working remotely for foreign companies are part of state-run programs. The DPRK government controls all international employment. Even if a worker claims to be independent, they are still acting on behalf of the regime. There are no private, freelance North Korean developers operating outside state control.

How much money have these schemes generated?

Between January and September 2025, North Korean IT worker schemes generated at least $1.65 billion, according to the Multilateral Sanctions Monitoring Team. In 2024, the total was $1.2 billion. The largest single theft was the $1.4 billion Bybit hack in February 2025. These funds are used to finance North Korea’s nuclear and ballistic missile programs.

Which countries are most affected by these schemes?

The U.S., Canada, South Korea, Japan, and Western European nations are primary targets due to their high demand for remote tech talent and strong digital infrastructure. However, companies in Australia, New Zealand, and even Latin America have also been compromised. China has been identified as a key laundering hub, with at least 15 Chinese banks used to convert crypto into fiat.

14 Comments

Michael Labelle
November 27, 2025 AT 03:13

Been hiring remote devs for years. This is wild but not surprising. I’ve had candidates who seemed too perfect-flawless English, insane availability, weirdly low rates. Never thought it could be state-sponsored. Feels like we’re all unwitting pawns in a geopolitical game.

Still, I’m not blaming the workers. They’re probably just trying to survive under a brutal regime. The real villains are the ones pulling the strings from Pyongyang.

Anyway, I’m double-checking every new hire now. Crypto? No. Video call with live prompts? Yes. No more shortcuts.
Joel Christian
November 27, 2025 AT 16:51

ok so like… i just hired a guy from ‘kyiv’ last month for 30/hr in usdt and he’s like a godsend?? idk if he’s north korean but i’m kinda scared now?? lol

also he types in all lowercase and never uses punctuation… is that a sign??
jeff aza
November 28, 2025 AT 15:20

Let’s be clear: this isn’t a ‘hack.’ It’s a systemic exploitation of labor arbitrage, combined with cryptographic obfuscation and identity laundering-essentially a hybrid of social engineering and state-sponsored economic warfare. The fact that companies are still using crypto for payroll is a regulatory failure of epic proportions.

Chainalysis data shows that 92% of DPRK-affiliated applicants use forged credentials. That’s not a vulnerability-it’s a flagrant disregard for due diligence. If you’re paying in USDT without KYC, you’re not a startup-you’re a money mule.

And yes, AI deepfakes are a problem, but the real issue is that HR departments are still using résumés as the primary authentication mechanism. That’s like verifying a bank account with a selfie.

Also, the term ‘remote IT worker’ is misleading. These aren’t workers-they’re state assets. Period.
Vijay Kumar
November 30, 2025 AT 03:10

Humanity is sleeping while the world burns. We outsource jobs to save money… and unknowingly fund nuclear missiles.

Is this capitalism? Or just collective suicide?

Wake up. Your convenience is their weapon.
Vance Ashby
December 1, 2025 AT 12:19

so i just got a message from a ‘dev’ in ‘brazil’ offering to do my whole backend for $5k in usdt…

now i’m second-guessing everything 😅

also… why do they always want usdt? like… is it the only crypto that doesn’t look sketchy? 🤔
Brian Bernfeld
December 1, 2025 AT 15:03

Listen-I’ve been in tech for 20 years, and I’ve seen scams. But this? This is next-level evil. These aren’t just criminals-they’re architects of global instability.

I’ve trained dozens of HR teams on this exact issue. We run live video checks with random math problems, screen shares, and ID verification. We’ve blocked 17 suspicious hires in the last year alone.

And yes-it’s a pain. But every hour you spend verifying someone is an hour you’re not spending cleaning up a $200k loss-or worse, helping build a warhead.

If you’re hiring remotely, you’re not just a business owner. You’re a gatekeeper. Don’t fail that test.
Ian Esche
December 3, 2025 AT 08:05

North Korea thinks it’s clever? Let them try. We’ve got the best tech, the best laws, and the most pissed-off allies on Earth. If they think they can sneak in through a Zoom call, they’re in for a rude awakening.

Time to shut this down. Sanction every wallet. Blacklist every fake LinkedIn. And if a candidate won’t sign a contract? Block them. No exceptions.

This isn’t about politics. It’s about survival.
Felicia Sue Lynn
December 3, 2025 AT 20:29

It is profoundly tragic that the most vulnerable people-those forced into labor by an oppressive regime-are being used as instruments of global harm. While the state bears full moral responsibility, we must also reflect on how our own systems of convenience and cost-cutting enable such exploitation.

Perhaps the real question is not how to detect them, but how to dismantle the economic structures that make this possible. If remote work is to be ethical, it must be equitable-not merely efficient.

Let us not become the architects of our own moral compromise.
Christina Oneviane
December 5, 2025 AT 04:23

Oh wow, so now I’m supposed to feel bad for the North Korean devs? ‘They’re just trying to survive!’

Yeah, and I’m sure they’re also crying while they code the malware that steals your data.

Get real. They’re soldiers. In suits. With laptops.

And if you’re still paying them in crypto? You’re the idiot.

😂
fanny adam
December 6, 2025 AT 22:15

This is not a coincidence. The U.S. government has known about this for years. Why haven’t they shut it down? Because they’re profiting from the chaos.

Think about it: who benefits from constant cyber insecurity? Defense contractors. Surveillance tech firms. Crypto exchanges that launder funds. The entire military-industrial complex thrives on fear.

And now, they’re using this narrative to justify more surveillance, more control, more ‘security’ laws that erode privacy.

Who’s really pulling the strings? The DPRK? Or the people who profit from pretending they are?
Eddy Lust
December 8, 2025 AT 18:07

Man, I just had a guy from ‘Vietnam’ do my API for me-paid him in USDT, he was chill, never missed a deadline.

Now I’m sitting here wondering if he’s building nukes in a basement while I’m binge-watching Netflix.

Still… I kinda miss him. He’d send me memes at 3am. Now I feel weird. Like I betrayed someone. Or maybe I was the one who got played?

Either way… I’m switching to Wise from now on. No more crypto. No more ‘too good to be true.’

Rest in peace, my digital ghost.
Casey Meehan
December 9, 2025 AT 03:24

Bro. I just got a job offer from ‘Ukraine’ for $40/hr in USDT. I said yes. 😎

Now I’m gonna send them a selfie with a banana in my mouth and see if the AI can handle it. 🍌🤖

If they reply with a perfect deepfake of me holding a banana… I’m reporting them. And also… I’m kinda impressed?
Tom MacDermott
December 10, 2025 AT 12:18

Oh, so now we’re supposed to treat North Korean operatives like misunderstood artists? ‘They’re just trying to survive!’

Let me guess-you also think the mafia is just ‘entrepreneurs with bad PR.’

This isn’t a moral dilemma. It’s a hostile act. And if you’re still hiring crypto devs from Eastern Europe without a background check, you’re not a tech founder-you’re a liability with a LinkedIn profile.

Also, your ‘empathy’ is embarrassing.
Sam Daily
December 11, 2025 AT 23:53

Hey everyone-this is serious, but don’t panic.

I’ve built a free checklist for hiring remote devs: 5 red flags, 3 verification steps, and a script for video calls that breaks AI deepfakes. I’ll drop the link in the comments.

Let’s not let fear paralyze us-let’s use knowledge to protect ourselves. And hey-if you’re a dev reading this? If you’re from North Korea, I see you. You’re not alone. But please… don’t be their weapon. There’s another way.

Stay safe. Stay sharp. And if you’re hiring? Don’t be the weak link.