How North Korean IT Workers Use Crypto to Launder Billions

It’s 2026, and a remote IT job posting on a freelance platform looks too good to be true. The pay? $5,000 a month. The work? Just coding, testing, and support. No interviews. No contract. Just wire your crypto wallet and start Monday. Thousands of companies have taken the bait. But behind that screen is not a freelancer from Ukraine or the Philippines - it’s a North Korean operative, using AI deepfakes to look you in the eye during a Zoom call, while quietly siphoning money to fund weapons of mass destruction.

How the Scheme Works

North Korea doesn’t hack exchanges anymore - not primarily, anyway. Instead, it hires its own people as remote workers. These aren’t hackers in hoodies. They’re trained software engineers, cybersecurity specialists, and data analysts, sent overseas under fake identities. They apply for jobs on Upwork, LinkedIn, and niche tech forums. They lie about where they’re from. They use stolen passports, forged diplomas, and AI-generated voices to pass video interviews. Once hired, they demand payment in USDC or USDT - stablecoins that hold steady value and move easily across borders.

These workers don’t steal in one big hit. They get paid regularly. $5,000 here. $7,000 there. Monthly. Consistent. The money flows into wallets they control, then gets split across dozens, sometimes hundreds, of other addresses. Each transfer is tiny, scattered, designed to avoid red flags. Eventually, the funds converge in wallets tied to sanctioned North Korean operatives like Kim Sang Man and Sim Hyon Sop. From there, the crypto is converted into cash through over-the-counter (OTC) traders in Russia, the UAE, or China - often using fake businesses or shell companies.

This isn’t random crime. It’s state policy. The Multilateral Sanctions Monitoring Team (MSMT) says North Korea made at least $1.65 billion from crypto laundering between January and September 2025 alone. That’s more than $180 million a month. One operation, the $1.4 billion Bybit heist in February 2025, made headlines. But the real money? It’s in the slow drip of payroll payments from unsuspecting companies.

Why Stablecoins Are the Weapon of Choice

Bitcoin and Ethereum are too volatile. Too traceable. Too noisy. Stablecoins like USDC and USDT are the perfect tool. They’re pegged to the U.S. dollar. They move fast. They’re accepted everywhere. And because they’re built on blockchains like Ethereum and Tron, they can be shuffled through dozens of wallets before anyone notices.

The U.S. Treasury confirmed in June 2025 that North Korean operatives specifically request stablecoins. Why? Because they’re the bridge between crypto and cash. OTC traders - often operating out of Dubai or Moscow - take the stablecoins and give back dollars in cash, bank transfers, or even gold. No KYC. No questions asked. The money disappears into the global financial system, then reappears in North Korea to buy copper for munitions, missile parts, or high-tech surveillance gear.

According to the MSMT report from October 2025, these stablecoin transactions are directly linked to military procurement. Copper, lithium, rare earth metals - all bought with crypto laundered through fake IT jobs. This isn’t just money laundering. It’s arms funding.

How Companies Get Tricked

Most companies don’t realize they’re hiring a regime-backed operative. The workers appear professional. They’re cheap - often offering rates 20-30% below market. They’re eager. They’ll start immediately. No contract needed. They’ll even work weekends. They use AI tools to fake video calls, sometimes even mimicking your accent or tone. One Canadian tech startup lost $280,000 over six months to an operative who showed up in every Zoom meeting with perfect lighting, perfect English, and a fake degree from MIT.

The RCMP’s July 2025 advisory lists the red flags:

  • Requests for cryptocurrency payments only
  • Multiple logins from different countries in one day
  • Refusal to sign a contract or provide ID
  • Overly low rates compared to peers
  • Use of AI-generated photos or voices
But here’s the problem: most HR departments don’t know what to look for. They’re not trained in blockchain forensics. They don’t check if the university on the resume even exists. And they don’t have tools to detect deepfakes in real time.

Global map with crypto flows leading to sanctioned wallets, OTC traders exchanging digital currency for cash and gold.

The Real Cost to Businesses

The average loss per company? $47,000. That’s according to the Canadian Anti-Fraud Centre’s Q3 2025 report. And 78% of those cases involved crypto payments. Some companies lose less. Others lose millions. The U.S. Department of Justice indicted four North Korean nationals in July 2025 for stealing $900,000 in virtual currency from U.S.-based firms. The names? Joshua Palmer. Alex Hong. Fake identities. Real damage.

The worst part? Once the crypto leaves your wallet, it’s gone. No chargebacks. No refunds. The blockchain doesn’t care who you are. Once it’s sent, it’s irreversible.

How Governments Are Fighting Back

The U.S., Canada, Japan, South Korea, and 11 other nations are coordinating sanctions. In July 2025, the U.S. Treasury sanctioned Chinyong Information Technology Cooperation Company - the main agency that recruits and deploys these workers. They also went after Vitaliy Sergeyevich Andreyev, Kim Ung Sun, and Korea Sinjin Trading Corporation. All were tied to the laundering pipeline.

The FBI and DOJ have seized over $7.7 million in crypto, NFTs, and digital assets linked to these operations. They’ve frozen wallets tied to North Korean operatives. They’ve pressured exchanges to block known DPRK-linked addresses.

The Financial Action Task Force (FATF) updated its global guidance in June 2025, telling crypto platforms to watch for patterns: small, regular payments from new users, requests for stablecoins, and inconsistent location data.

And there’s new tech coming. FinCEN, the U.S. financial crimes unit, is testing a prototype system expected to launch in early 2026. It can spot DPRK-linked wallet clusters with 89% accuracy by analyzing transaction timing, wallet age, and fund flow patterns.

HR manager horrified at fake diploma and frozen crypto wallet, ghostly soldiers carrying missile parts behind them.

What Companies Can Do

You don’t need to be a cybersecurity expert to protect yourself. Here’s what works:

  1. Never pay in crypto unless you’re 100% sure of the person. Use payroll platforms with built-in KYC. Pay via bank transfer, not wallet.
  2. Verify identities with multiple video calls. Ask them to show a government ID, then ask them to spell their name backwards. Deepfakes can’t handle that.
  3. Check their education and work history. Call the university. Email the former employer. DPRK operatives use fake diplomas 92% of the time.
  4. Use blockchain analytics tools. Services like Chainalysis or Elliptic can flag if a wallet has ever been tied to North Korea. Run the wallet address before paying.
  5. Require contracts. If they refuse to sign, walk away.
Companies that followed these steps saw a 63% drop in successful infiltration attempts, according to a Treasury Department analysis in August 2025. It’s not foolproof - but it’s enough to make North Korea move on to easier targets.

The Bigger Picture

This isn’t just about fraud. It’s about survival. North Korea’s economy is crushed under sanctions. Its people are starving. But its military isn’t. The regime has turned the global remote work boom - a $427 billion industry - into a weapon. Every time a company hires a fake IT worker, they’re indirectly funding missile tests, nuclear warheads, and cyberattacks on hospitals and power grids.

The world is waking up. Governments are acting. Tech tools are improving. But as long as crypto remains anonymous and remote work is easy, the scheme will evolve. Maybe next time, they’ll use NFTs. Or decentralized finance protocols. Or AI-generated freelance profiles that can pass automated screening tools.

The only defense? Vigilance. Verification. And never, ever paying someone you’ve never met in crypto.

Are North Korean IT workers still active in 2026?

Yes. Despite increased sanctions and better detection tools, North Korean IT workers remain active in 2026. The Multilateral Sanctions Monitoring Team confirmed ongoing operations through September 2025, and U.S. Treasury data shows new wallet clusters tied to DPRK operatives emerging monthly. While the volume may drop due to improved countermeasures, the regime has shown it can adapt quickly - shifting to new platforms, tools, and laundering methods.

Can you trace crypto payments back to North Korea?

Yes, but it’s complex. Blockchain analysis firms like Chainalysis and Elliptic have mapped out hundreds of wallets used by DPRK operatives. These wallets show patterns: small, regular deposits from different countries, rapid movement through mixers or bridges, and eventual consolidation into known sanctioned addresses. While individual transactions are hard to trace, clusters of activity are increasingly detectable. The U.S. FinCEN’s new system, launching in early 2026, can identify DPRK-linked clusters with 89% accuracy.

Why don’t exchanges block these payments?

Many exchanges do - but not all. Major platforms like Coinbase and Binance have blocked known DPRK-linked wallets. But smaller exchanges, especially those based in jurisdictions with weak oversight, still process these transactions. OTC traders - who operate outside exchange systems - are the biggest loophole. They accept crypto from anyone, often without ID, and convert it to cash. That’s why the U.S. Treasury has sanctioned multiple OTC facilitators, including a person known only as ‘Lu’.

Is it illegal to hire a North Korean IT worker unknowingly?

No, not if you truly didn’t know. U.S. and international sanctions target the regime and its enablers, not individual employers who are victims of fraud. However, if you ignore red flags - like crypto-only payments or fake documents - regulators may consider you negligent. In some cases, companies have been fined for failing to conduct basic due diligence. The key is proving you made a good-faith effort to verify the worker.

How can I check if a crypto wallet is linked to North Korea?

Use free blockchain explorers like Etherscan or Tronscan to look up the wallet address. Then cross-check it with public sanctions lists from the U.S. Treasury’s OFAC database or Chainalysis’ React platform. Some cybersecurity firms offer wallet screening tools for businesses. If the wallet has ever received funds from a known DPRK-linked address, or has sent funds to a sanctioned entity, it’s high-risk. Always verify before sending any payment.

What’s the difference between this and the Lazarus Group hacks?

The Lazarus Group steals large sums in single attacks - like the $625 million Harmony Bridge breach in 2022. The IT worker scheme is slower, quieter, and more sustainable. Instead of breaking in once, they get paid monthly like real employees. This avoids triggering alarms. It’s less flashy, but far more reliable. According to Chainalysis, the IT worker scheme generated 43% of North Korea’s crypto revenue in 2025 - more than direct exchange hacks.

Tags: