WASHINGTON — The U.S. Department of Justice has filed a civil forfeiture complaint in the U.S. District Court for the District of Columbia seeking to seize more than $7.74 million in cryptocurrency allegedly laundered on behalf of the North Korean government in violation of U.S. sanctions.
The complaint alleges that North Korean IT workers unlawfully secured remote employment with companies worldwide—particularly in the United States—using fraudulent identities to earn millions of dollars in cryptocurrency. These funds were funneled back to Pyongyang to support government priorities, including weapons programs, evading longstanding international sanctions.
The forfeiture stems from a broader investigation linked to an April 2023 indictment against Sim Hyon Sop, a representative of North Korea’s Foreign Trade Bank (FTB), who is accused of conspiring with the IT operatives. U.S. authorities were able to trace and seize the illicit funds before they could be repatriated to the regime.
“This case underscores that crime may pay elsewhere, but not here,” said U.S. Attorney Jeanine Ferris Pirro. “Any attempt by foreign adversaries to subvert our financial systems will be met with forceful legal action. Sanctions are in place for a reason, and we will not allow our infrastructure to be exploited.”
Exploiting the Cryptocurrency Ecosystem
According to court documents, North Korean IT operatives—often working out of China and Russia—obtained jobs at international blockchain and tech firms by circumventing identity and security checks. Using fraudulent documents, they masked their true nationality and received payments in digital assets, including stablecoins such as USDC and USDT.
To launder the proceeds, they employed various tactics including:
- Using fictitious identities to open accounts
- Transferring funds in small increments to evade detection
- Moving assets across different blockchains (“chain hopping”)
- Converting cryptocurrencies (“token swapping”)
- Purchasing non-fungible tokens (NFTs) to obscure ownership
- Using U.S.-based accounts to legitimize transactions
- Commingling illicit funds with legitimate assets
These techniques enabled the covert transmission of funds to North Korean government entities, often via intermediaries like Sim and Kim Sang Man, the CEO of Chinyong (also known as Jinyong IT Cooperation Company), a front company subordinate to North Korea’s Ministry of Defense.
Both Sim and Chinyong have been designated by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) as Specially Designated Nationals (SDNs) in recent years due to their roles in supporting North Korea’s military and cyber operations.
Sustained U.S. Action Against North Korean Cyber Threats
This forfeiture action follows multiple Justice Department efforts to disrupt North Korea’s use of cyber capabilities to circumvent international sanctions. The Department has issued indictments and taken enforcement actions in May, August, and December 2024, as well as January 2025, targeting both North Korean operatives and their enablers abroad.
“The Department is using every available legal tool to block North Korea from exploiting the global financial and digital ecosystems,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. “This case demonstrates our commitment to denying Pyongyang access to illicit revenue streams.”
Sue J. Bai, Head of the DOJ’s National Security Division, added, “North Korea’s exploitation of global IT and cryptocurrency networks directly threatens international stability. This forfeiture action reflects our strategic focus on cutting off their financial pipelines.”
Ongoing Investigations and International Cooperation
The FBI’s Chicago Field Office and its Virtual Assets Unit (VAU) led the investigation, with critical support from interagency and international partners. Senior legal and cybercrime prosecutors from the DOJ’s Criminal and National Security Divisions are overseeing the case.
“This is one of the FBI’s first successful seizures of funds generated by North Korean IT operatives before they could be repatriated,” said Special Agent in Charge Douglas S. DePodesta. “We remain vigilant against evolving threats to national security, including the misuse of digital assets by hostile nation-states.”
The FBI has issued multiple public advisories—most recently in January 2025—alerting businesses to indicators of North Korean IT worker fraud, including the use of U.S.-based “laptop farms,” data theft, and attempts to access sensitive commercial information. Businesses are urged to implement enhanced due diligence and cybersecurity protocols.
Contact and Reporting
Anyone with information about potential North Korean cyber activities or suspicious employment schemes involving remote IT work is encouraged to contact the FBI or visit www.fbi.gov for guidance and reporting mechanisms.
