How North Korean IT Workers Use Crypto to Launder Billions

On February 12, 2025, crypto exchange Bybit lost $1.4 billion in a single heist. But this wasn’t a hack by a shadowy group of anonymous coders. It was the work of people sitting at desks in Beijing, Moscow, and Dubai - people who claimed to be software engineers from Poland, Brazil, and Canada. They weren’t criminals in the traditional sense. They were North Korean IT workers, paid in cryptocurrency to work remote jobs for companies that never knew their true identity.

This isn’t science fiction. It’s the reality of how the North Korean regime is bypassing international sanctions. With nuclear weapons and missile programs to fund, and no access to global banking, Pyongyang turned to something it excels at: cyber operations. But instead of just stealing crypto outright, they built a quiet, steady machine - one that pays regular salaries, uses fake identities, and hides in plain sight.

The Real Business of North Korean Cybercrime

Most people think of North Korean hackers as the Lazarus Group - the ones who broke into exchanges, stole millions, and vanished. But since 2017, the regime has shifted tactics. The Multilateral Sanctions Monitoring Team (MSMT) found that in 2024 alone, North Korea made $1.2 billion from crypto. And by September 2025, that number had jumped to $1.65 billion. The biggest source? Not exchange heists. Not ransomware. It’s remote IT workers.

These aren’t freelance gig workers. They’re state-sponsored operatives. Recruited by agencies like Chinyong Information Technology Cooperation Company - sanctioned by the U.S. Treasury in July 2025 - they’re sent overseas under false passports and fake resumes. Their job? Apply for software development, QA testing, or data analysis roles with companies in the U.S., Europe, and Southeast Asia. They interview via Zoom, pass background checks with forged diplomas, and start working.

And here’s the twist: they ask to be paid in USDC or USDT. Not Bitcoin. Not Ethereum. Stablecoins. Why? Because they’re pegged to the dollar. Easy to move. Easy to convert. And easy to hide.

How the Laundering Works

Once the salary hits their wallet - usually around $5,000 a month - the laundering begins. The money doesn’t go straight to Pyongyang. It gets split across dozens, sometimes hundreds, of crypto addresses. Each one holds a small amount. Then, through a series of mixers, bridges, and peer-to-peer trades, it’s funneled into wallets controlled by sanctioned individuals like Kim Sang Man and Sim Hyon Sop.

The final step? Conversion to cash. This happens through over-the-counter (OTC) traders in Russia, the UAE, and China. One such trader, known only as ‘Lu’, was sanctioned by OFAC in December 2024 for moving $2.1 million in crypto tied to North Korea. These traders don’t ask questions. They just exchange crypto for cash, often through shell companies or fake import/export businesses.

Chainalysis tracked one network that used 1,200 unique wallet addresses over 18 months. None of them were directly linked to North Korea. But when analysts looked at transaction patterns - timing, amounts, and wallet clustering - the fingerprints were unmistakable.

The Red Flags No One Noticed

Companies hiring remote workers had every chance to spot the fraud. But they didn’t. Here’s why:

• They’re cheaper. North Korean workers offer services at 20-30% below market rates. For startups trying to cut costs, that’s tempting.
• No contract needed. They’ll start working before signing anything. They want to get paid fast.
• They use deepfakes. AI-generated voices and faces make video interviews look real. One Canadian tech firm lost $280,000 after a worker used AI to mimic a Polish engineer during 12 video calls.
• Multiple logins from different countries. One worker logged in from Ukraine, then Nigeria, then Indonesia - all in the same week. Companies assumed they were traveling.
• Forged credentials. The RCMP found that 92% of verified DPRK applications had fake university degrees or employment history.

And when the money’s gone? The worker disappears. No trace. No recourse. Crypto transactions are irreversible. And most companies don’t track blockchain activity.

Who’s Being Targeted?

It’s not just startups. Big companies are getting hit too. A U.S.-based cybersecurity firm reported that a North Korean operative accessed their internal code repository for six months before stealing $900,000 in crypto. The U.S. Department of Justice indicted four North Koreans in July 2025 for this exact scheme. The indictment listed the stolen assets: USDC, ETH, and even NFTs.

But the real danger isn’t just the money lost. It’s the data. These workers often get access to proprietary software, customer databases, and internal networks. Once they’ve collected what they need, they vanish - leaving behind backdoors, malware, or compromised systems.

According to the Canadian Anti-Fraud Centre, the average business loss per incident is $47,000. And 78% of cases involved crypto payments. The scale is growing. The global remote work market hit $427 billion in 2025. That’s a massive blind spot.

How to Protect Your Business

It’s not impossible to stop this. Companies that took action saw results.

• Never pay in crypto. This is the single most effective step. If you’re paying a remote worker in USDC or USDT, you’re helping fund a nuclear program. Switch to bank transfers or PayPal. If they refuse, walk away.
• Verify identity with multiple tools. Use live video calls on two different platforms at once - Zoom and Teams, for example. AI deepfakes can’t maintain perfect sync across both. Look for lip movements that don’t match audio, unnatural blinking, or frozen expressions.
• Check education and work history directly. Don’t trust LinkedIn. Call the university. Ask for transcripts. Contact past employers. North Korean operatives often list universities that don’t exist or have no record of the person.
• Use blockchain monitoring tools. Platforms like Chainalysis and Elliptic can flag wallet addresses linked to known DPRK laundering networks. Integrate them into your payment verification process.
• Require signed contracts before work begins. If someone won’t sign a contract, they’re hiding something.

Companies that followed these steps reduced successful infiltration by 63%, according to a Treasury Department analysis in August 2025. It’s not about being paranoid. It’s about being smart.

The Bigger Picture: Sanctions and the Future

The U.S., Japan, and South Korea issued a joint warning in July 2025. The State Department is offering up to $15 million for tips that lead to arrests. FinCEN is building a new AI system set to launch in early 2026 that can detect DPRK-linked wallets with 89% accuracy.

But here’s the hard truth: as long as crypto remains anonymous across borders, this will continue. North Korea has adapted before. When sanctions hit their shipping routes, they turned to cybercrime. When exchanges tightened security, they shifted to remote workers. They’ll adapt again.

What’s different now is the scale. This isn’t a few rogue hackers. It’s a state-run payroll system. The money funds copper imports for munitions. It buys missiles. It keeps the regime alive.

Every time a company pays a remote worker in USDT without verifying their identity, they’re indirectly helping North Korea build weapons. That’s not a side effect. It’s the point.

What’s Next?

By Q4 2026, experts predict a 25-30% drop in successful infiltrations due to better verification and global coordination. But the threat won’t disappear. It’ll evolve. Maybe next, they’ll use AI to generate fake video resumes. Or bribe local bank employees in the UAE to move funds faster.

The only real defense is awareness. If you hire remote workers - especially from high-risk regions - you’re not just hiring talent. You’re becoming part of a global financial network that supports a regime under international sanctions.

Ask yourself: Is saving $1,000 a month worth funding a nuclear arsenal?