North Koreans Charged in $900K Crypto Theft Exposing Remote IT Job Risks

On June 24, 2025, a federal grand jury in Atlanta indicted Kim Kwang Jin, Kang Tae Bok, Jong Pong Ju and Chang Nam Il, nationals of the Democratic People’s Republic of Korea (DPRK), for wire fraud and money laundering after they stole and laundered over $900,000 in cryptocurrency from U.S. blockchain companies.

North Korean Crypto Heist: Laundering Scheme Demolished

The indictment alleges that the four used fake and stolen identities to pose as remote IT workers, gaining access to employer crypto wallets and systems. They targeted an Atlanta blockchain R&D firm and a Serbian token company, concealing their DPRK identities with fraudulent documents.

Jong Pong Ju, under the alias “Bryan Cho,” pilfered $175,000 in virtual currency in February 2022 by abusing his wallet permissions. In March 2022, Kim Kwang Jin manipulated two smart contract codes to steal about $740,000 in digital assets.

To launder proceeds, they routed funds through the Tornado Cash mixer, then moved tainted coins into exchange accounts set up by Kang Tae Bok and Chang Nam Il using fraudulent Malaysian IDs. Agents seized hundreds of laptops and raided 29 “laptop farms” across 16 states in a parallel FBI operation targeting North Korean IT worker schemes.

This case falls under the DOJ’s DPRK RevGen: Domestic Enabler Initiative, launched in March 2024 to disrupt Pyongyang’s illicit revenue streams via cyber-enabled fraud. U.S. officials warn that stolen crypto funds flow directly into North Korea’s weapons and nuclear programs, making these enforcement actions critical to national security.

According to the Chainalysis report, North Korea–linked hackers stole $1.34 billion in cryptocurrency across 47 incidents in 2024, accounting for 61% of all crypto thefts that year. High-value heists included a $308 million breach of DMM Bitcoin and a $235 million attack on WazirX, underscoring DPRK’s focus on large-scale exploits.

Related: North Korea Becomes the World’s 3rd Largest Bitcoin Holder

International Enforcement and Sanctions Coordination

The DOJ launched its DPRK RevGen: Domestic Enabler Initiative in March 2024 to unify enforcement against North Korea’s illicit revenue schemes, coordinating indictments, forfeitures and global outreach. Under this effort, the DOJ has filed civil forfeiture actions recovering over $7.74 million tied to fake IT worker schemes and pursued multiple indictments in Georgia and Massachusetts.

The U.S. and South Korea reinforce these actions through the U.S.–ROK Cyber Cooperation Framework, sharing threat intelligence, harmonizing legal strategies and conducting joint investigations to disrupt DPRK hacking operations. South Korea’s National Intelligence Service and Financial Intelligence Unit routinely exchange data on sanctioned entities, bolstering the reach of U.S. sanctions and mutual legal assistance.

At the United Nations, Security Council resolutions 1718 and subsequent updates explicitly ban North Korean cyber theft and require member states to freeze related assets, providing a legal basis for cross-border enforcement. UN sanctions monitors reported that in March 2024 North Korea laundered $147.5 million through Tornado Cash, underscoring the global scope of DPRK money laundering.

The Financial Action Task Force (FATF) has issued binding standards on virtual assets and VASPs to curb money-laundering risks, urging jurisdictions to ramp up AML/KYC rules and inter-agency cooperation against state-sponsored crypto crime. In June 2025, FATF highlighted North Korea as a primary threat, calling for urgent reforms in crypto regulation and stronger global enforcement networks.

The U.S. Treasury’s OFAC has sanctioned mixers like Sinbad.io and individual DPRK hackers to choke off laundering channels, designating Sinbad.io for processing millions of dollars from Lazarus Group heists. These sanctions freeze assets, prohibit U.S. persons from dealing with designated entities, and complement DOJ indictments by targeting the financial infrastructure behind DPRK schemes.

As international pressure mounts, authorities plan to deepen collaboration with Europol and INTERPOL in late 2025, launching joint cyber task forces and harmonizing asset-recovery protocols to stay ahead of evolving DPRK tactics. Sustained intelligence sharing and coordinated legal action remain critical to cutting off Pyongyang’s crypto lifelines and protecting the global financial system.

Evolving Corporate Defense: Securing Remote IT Hires

As companies increasingly rely on remote IT talent, they should implement zero-trust architectures that verify every user and device before granting access. Identity-based access combines strong authentication, logging and auditing to reduce risks from fake or stolen credentials. NIST’s zero-trust framework for remote work calls for continuous verification and least-privilege policies to limit lateral movement in case of a breach. Mobile identity checks (“zero trust to mobile”) prevent personal-data manipulation during remote onboarding and strengthen contractor vetting.

Strong multi-factor authentication (MFA) offers an extra layer of defense for remote IT roles. Two-factor authentication (2FA) uses a password plus a second factor, such as a security token, to block unauthorized logins. Some crypto platforms require three-factor authentication for higher assurance, protecting wallet access from single-point failures. Wallet applications should also warn users before revealing private keys and integrate phishing site databases to prevent credential theft.

Real-time monitoring and strict remote-access controls help spot and stop malicious activity. CISA’s telework guidance advises firms to enforce VPN use, endpoint protection and secure Wi-Fi connections for all remote sessions. Organizations can follow CISA’s “Guide to Securing Remote Access Software” to audit configurations and patch vulnerabilities promptly. Endpoint security solutions designed for nation-state threats can detect malware deployment and anomalous behavior before hackers exfiltrate data.