How North Korean IT Workers Use Crypto to Launder Billions

On February 12, 2025, the crypto exchange Bybit lost $1.4 billion in a single hack. But this wasn’t the work of a lone hacker or a shadowy gang. It was the latest move in a state-run operation by North Korea - one that’s been quietly siphoning billions from global businesses through something far more insidious than a breach: remote IT jobs.

North Korea doesn’t need to break into your system. It just needs you to hire someone.

The Fake Remote Worker

Imagine you’re a startup in Toronto trying to cut costs. You post a job for a senior backend developer. A candidate applies from "Kyiv" with a polished resume, flawless English, and a portfolio that looks legit. They ask for payment in USDT. Their rate? 30% below market. They don’t need a contract. They start next week.

That person isn’t from Kyiv. They’re likely sitting in a Pyongyang basement, wearing a fake ID, using AI to mimic a voice and face during Zoom calls, and logging in from a network of fake IP addresses across Russia and the UAE. Their real employer? The North Korean government.

Since 2017, Pyongyang has systematically deployed thousands of IT workers overseas under false identities. These aren’t hackers breaking into banks. They’re employees - paid regular salaries, working standard hours, submitting bug reports, and collecting paychecks in cryptocurrency. And every dollar they earn? It’s fueling missiles and nuclear weapons.

How the Scheme Works

The operation is built on three pillars: deception, cryptocurrency, and obfuscation.

First, deception. North Korean operatives use stolen or forged documents to pose as developers from Eastern Europe, Southeast Asia, or Latin America. They fake university degrees, LinkedIn profiles, and work histories. Some even use AI-generated photos and voice clones to pass video interviews. Chainalysis found that 92% of verified DPRK applications contained falsified credentials.

Second, cryptocurrency. These workers almost always demand payment in stablecoins - USDC or USDT. Why? Because they’re pegged to the dollar, easy to transfer, and accepted by over-the-counter (OTC) traders who don’t ask questions. Once paid, the money moves through dozens of crypto wallets, fragmented across chains and mixed with other funds. This makes tracing nearly impossible without advanced blockchain analytics.

Third, obfuscation. The funds don’t go straight to Pyongyang. They flow through intermediaries in Russia, the UAE, and China. One key facilitator, a person known only as "Lu," was sanctioned by the U.S. Treasury in December 2024 for converting crypto into cash for the regime. The money eventually reaches senior operatives like Kim Sang Man and Sim Hyon Sop - both already on international sanctions lists.

The result? A steady, low-risk income stream. Unlike the flashy $625 million heist from Harmony Bridge in 2022, this method generates smaller, regular payments - around $5,000 per worker per month. But with thousands of operatives, the total adds up fast. Between January and September 2025 alone, these schemes generated $1.65 billion, according to the Multilateral Sanctions Monitoring Team.

Why It’s So Hard to Stop

Traditional cybersecurity tools don’t catch this. There’s no malware. No phishing emails. No ransomware pop-up. The company isn’t hacked - it’s fooled.

The RCMP’s July 2025 advisory warned businesses about five red flags:

• Requests for crypto-only payment
• Multiple login locations across different countries in a single day
• AI-generated deepfakes during video interviews
• Refusal to sign contracts or provide references
• Unrealistically low rates - often 20-30% below market

But even when companies spot these signs, it’s hard to act. Many don’t know how to verify a remote worker’s identity without an in-person meeting. And once crypto is sent, it’s gone. Recovering funds is almost impossible.

A Canadian tech firm lost $280,000 over six months to a North Korean operative who used AI to mimic a real developer during weekly calls. The worker disappeared after the final payment. No trace. No arrest. Just silence.

Who’s Behind It

This isn’t rogue actors. It’s a coordinated state program.

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) designated Chinyong Information Technology Cooperation Company in July 2025 as the main recruitment arm. It’s not a company you’d find on Google - it’s a front for North Korea’s military intelligence bureau. Other entities tied to the scheme include Shenyang Geumpungri Network Technology Co., Ltd and Korea Sinjin Trading Corporation, both sanctioned in July 2025.

The money isn’t just funding weapons. According to the MSMT’s October 2025 report, DPRK uses stablecoin proceeds to buy copper, rare earth metals, and other materials used in missile production. One transaction chain traced to a Chinese bank in July 2025 showed $2.1 million in crypto converted to copper ingots shipped to North Korea.

How Companies Can Protect Themselves

The good news? It’s possible to stop this.

The U.S. Treasury’s August 2025 analysis showed that companies using strict verification protocols reduced infiltration attempts by 63%. Here’s what works:

1. Never pay in crypto. Use bank transfers or regulated payment platforms like PayPal or Wise. If a candidate insists on crypto, walk away.
2. Verify identity with live, multi-platform video calls. Ask them to open a random website on their screen, read a sentence aloud, or show a physical ID. AI deepfakes can’t handle real-time, unpredictable prompts.
3. Check education and work history directly. Call the university. Email their former employer. DPRK operatives often list fake schools like "Pyongyang University of Computer Science" - which doesn’t exist.
4. Use blockchain monitoring tools. Services like Chainalysis or Elliptic can flag wallets linked to known DPRK addresses. Even if you’re not a crypto expert, your payroll provider can integrate these checks.
5. Require signed contracts before payment. DPRK workers avoid contracts because they can’t be held accountable.

Training HR and security teams takes 4-6 weeks. Ongoing monitoring adds 15-20 hours per week per remote worker. But compared to losing $280,000 - or worse, funding a nuclear program - it’s a small cost.

The Bigger Picture

North Korea’s IT worker scheme now accounts for 43% of all illicit crypto revenue generated by the regime - more than exchange hacks. With the global remote work market hitting $427 billion in 2025, there are more opportunities than ever for infiltration.

Governments are responding. The U.S. is offering up to $15 million for tips leading to arrests. The Financial Action Task Force (FATF) updated its guidelines in June 2025 to require VASPs (virtual asset service providers) to screen for DPRK-linked transactions. FinCEN is testing a new AI system for Q1 2026 that can detect DPRK wallet clusters with 89% accuracy.

But technology alone won’t fix this. The real solution is human vigilance. Every company that hires a remote worker is a potential entry point. Every time someone ignores a red flag, they’re helping North Korea build weapons.

What’s Next

The regime won’t stop. It’s too profitable. But its methods will evolve. We may see more use of NFTs, privacy coins like Monero, or even decentralized finance (DeFi) protocols to hide transactions. Some analysts predict a 25-30% drop in successful infiltrations by late 2026 - not because the threat is gone, but because defenses are getting smarter.

The lesson is clear: if you’re hiring remotely, you’re not just hiring a developer. You’re hiring a potential accomplice in a global crime syndicate.

Don’t assume someone’s innocent because they look professional. Don’t trust a resume just because it’s polished. And never, ever pay in crypto unless you’re absolutely certain of who you’re dealing with.

Because in this game, the most dangerous hackers aren’t the ones breaking in.

They’re the ones you invited in.