How North Korean IT Workers Use Crypto Laundering to Bypass Sanctions

By early 2025, the world learned that the biggest threat to global crypto security wasn’t coming from rogue hackers in basements - it was coming from North Korean IT workers hired through legitimate job boards. These aren’t criminals breaking into exchanges. They’re remote employees. They show up on LinkedIn. They do their work. And then they disappear with thousands in crypto payments - money that ends up funding weapons of mass destruction.

The Real Business Model Behind the Fraud

North Korea doesn’t need to hack a crypto exchange anymore. It’s simpler - and smarter - to just get paid like a normal freelancer. Since 2017, the regime has quietly deployed thousands of IT professionals overseas under fake identities. They apply for remote software development, cybersecurity, and data analysis jobs with companies in the U.S., Canada, Europe, and Southeast Asia. They don’t ask for cash. They ask for USDT or USDC. Why? Because stablecoins are easy to move, hard to trace, and accepted by OTC traders who turn crypto into cash without asking questions.

These workers don’t steal millions in one go. They take $4,000 to $6,000 a month. Consistently. Over months. Years. Chainalysis found that these payments follow a clear pattern: same amount, same day, every 28 to 32 days. That’s not freelance work. That’s a salary. And it’s paid by companies who think they’re hiring a developer in Ukraine or the Philippines.

The scale is staggering. Between January and September 2025 alone, North Korea generated over $1.65 billion through these schemes, according to the Multilateral Sanctions Monitoring Team. One single heist from Bybit in February 2025 netted $1.4 billion - but that’s the exception. The real money comes from thousands of small, quiet payments. It’s the slow drip that fills the tank.

How They Hide in Plain Sight

These operatives don’t use stolen credit cards or fake PayPal accounts. They use real resumes. Fake degrees. AI-generated voice calls. Deepfake video interviews. One Canadian tech startup hired a developer named “Alex Hong” who showed up for weekly Zoom calls for six months. The video feed was flawless. The code was clean. The deadlines were met. Then, after receiving $280,000 in USDC, Alex vanished. No response. No explanation. Just silence.

The tools they use are chillingly advanced. AI software generates realistic facial movements during video calls. Voice cloning mimics accents perfectly. Virtual private networks route their traffic through servers in Russia, the UAE, and China. They submit documents with forged university seals, fake employment histories, and even manipulated LinkedIn profiles. The Canadian RCMP found that 92% of verified DPRK job applications contained falsified educational credentials.

They also undercut the market. While a skilled developer in India might charge $25/hour, a North Korean operative will offer $15 - sometimes even $10. Why? Because they’re not trying to make a living. They’re trying to get paid in crypto. And they’ll work for free if they have to - as long as the payment method is crypto.

The Money Trail: From Wallet to Weapons

Once the crypto lands in their wallet, the laundering begins. The funds are split across dozens - sometimes hundreds - of blockchain addresses. Each transfer is tiny. Each step is designed to break the trail. Then, the money is funneled into wallets linked to known DPRK operatives like Kim Sang Man and Sim Hyon Sop, both sanctioned by the U.S. Treasury since 2024.

The final step happens through OTC traders - often based in Russia or the UAE - who exchange crypto for cash. These traders don’t ask where the money came from. They just take a cut. Some of the cash goes to buy copper, rare earth metals, and other materials used in missile production. Others are used to pay for foreign diplomats, spy equipment, or even luxury goods for regime elites.

The U.S. Department of Justice filed a civil forfeiture complaint in June 2025 seeking over $7.7 million in seized assets tied to this network - including NFTs, Ethereum, and USDC. The FBI has frozen wallets linked to fake identities like “Joshua Palmer” and “Alex Hong.” But for every wallet seized, ten more are created.

Who’s Being Targeted - And How to Spot Them

Small and mid-sized tech startups are the most vulnerable. They need cheap talent. They’re not staffed with forensic accountants. They don’t have compliance teams. They hire based on GitHub profiles and video interviews. That’s exactly what North Korea exploits.

Red flags? Here’s what real companies have seen:

• Requests for payment only in stablecoins - especially USDT or USDC
• Multiple login attempts from different countries in one day
• Refusal to sign a contract before starting work
• Overly low hourly rates - 20-30% below market
• Video calls that feel “off” - unnatural eye contact, delayed responses, mismatched lighting
• Education history from institutions that don’t exist or can’t be verified

The RCMP and U.S. Treasury both warn: if someone asks for crypto upfront, walk away. Even if they seem perfect. Even if they’ve done great work. The moment crypto is sent, recovery is nearly impossible.

How Companies Can Protect Themselves

The good news? You can stop this. Here’s what works:

1. Never pay remote workers in crypto. Use bank transfers or verified platforms like PayPal or Wise. If they refuse, they’re not a worker - they’re a scammer.
2. Verify identity with multiple channels. Do a video call. Then do a phone call. Then ask them to send a live photo holding today’s newspaper. AI deepfakes can’t handle real-time, multi-platform verification.
3. Call their university. Don’t email. Call. Ask for the registrar. DPRK applicants often list fake schools like “Pyongyang Institute of Technology” - which doesn’t exist outside North Korea.
4. Check their LinkedIn history. Look for gaps. Inconsistencies. Profiles created just weeks before applying. Real developers have years of activity.
5. Use blockchain analytics tools. Services like Chainalysis or Elliptic can flag wallet addresses linked to known DPRK laundering networks. Run the wallet address before payment.

Companies that implemented these steps saw a 63% drop in infiltration attempts within six months, according to a U.S. Treasury analysis from August 2025. It’s not hard. It just takes discipline.

The Bigger Picture: Why This Isn’t Just a Tech Problem

This isn’t about bad hires. It’s about national security. The Multilateral Sanctions Monitoring Team confirmed that every dollar earned through these schemes goes directly into North Korea’s weapons programs. Copper bought with laundered crypto becomes shell casings. Software tools developed by these workers help automate missile targeting. The regime doesn’t just want money - it wants to survive, and it’s using global trust in remote work to do it.

The U.S., Japan, and South Korea issued a joint warning in July 2025. The State Department is offering up to $15 million for tips leading to arrests. The Financial Action Task Force updated its guidelines in June 2025 to specifically address DPRK IT worker fraud. Even Chinese banks - 15 of them - were named in a July 2025 report for helping launder these funds.

And the threat is growing. The global remote IT market hit $427 billion in 2025 - up from $312 billion in 2023. More companies hiring remotely means more opportunities for North Korea to slip in. Crypto laundering now accounts for 43% of all DPRK illicit crypto revenue - more than exchange hacks.

What’s Next?

The U.S. Treasury’s FinCEN is testing a new AI system set to launch in early 2026 that can identify DPRK-linked crypto wallets with 89% accuracy. It’s not perfect - but it’s a start. Industry experts predict a 25-30% drop in successful attacks by late 2026 as verification tools improve and international pressure mounts.

But here’s the truth: as long as crypto remains anonymous, as long as companies prioritize cost over security, and as long as North Korea has nothing to lose - this will keep happening. The regime doesn’t need to win every time. It just needs to win once. And it has.