North Korea Operatives Steal $915,000 in Crypto from U.S. and Serbian Firms

Four North Korean operatives, posing as remote IT workers, successfully infiltrated blockchain firms in the U.S. and Serbia, stealing over $900,000 in cryptocurrency. The operation, which spanned from 2019 to 2022, involved the use of fake and stolen identities to secure jobs as developers at these firms. The defendants—Kim Kwang Jin, Kang Tae Bok, Jong Pong Ju, and Chang Nam Il—exploited the growth of remote work and cryptocurrency development to circumvent sanctions and funnel digital assets to the North Korean government.

The operation began with the group coordinating their efforts in the United Arab Emirates in 2019. They targeted crypto platforms abroad, using fabricated profiles that included fraudulent documentation. Neither of the companies they infiltrated was aware of the applicants’ true North Korean nationality at the time of hiring. Once inside, the agents had access to sensitive systems and the company’s crypto wallets. Jong Pong Ju, also known as “Bryan Cho,” stole approximately $175,000 in digital currency from his employer’s account in February 2022. A month later, Kim Kwang Jin exploited flaws in the company’s smart contract code, making off with nearly $740,000 of crypto assets.

The stolen funds were laundered through a digital currency mixing service to hide their origins. The money was then transferred to exchange accounts opened with forged Malaysian identity documents. These accounts were managed by Kang Tae Bok and Chang Nam Il, who also laundered the proceeds from the stolen money. All four were named in a five-count indictment, including wire fraud and money laundering charges.

U.S. Attorney Theodore S. Hertzberg emphasized that the case reflects a growing and calculated threat from the Democratic People’s Republic of Korea (DPRK), which uses IT operatives globally to circumvent sanctions and raise funds for state-run programs, including nuclear weapons development. The FBI Atlanta division, which spearheaded the investigation, highlighted the distinct intersection between cybersecurity, national security, and financial crime.

This case is part of a broader pattern of North Korea’s operatives using crypto infrastructure to exploit international controls. Authorities said the scam was part of a wider drive to form “revenue generation networks” that ultimately contribute to North Korea’s strategic budget. These include high-profile cyberattacks, ransomware deployments, and now—direct infiltration into corporate teams through remote employment.

Andrew Fierman, head of national security at a blockchain forensics firm, commented that DPRK actors are increasingly embedding themselves within target firms. They gather internal knowledge, manipulate systems from within, and even orchestrate insider breaches. This insider model makes detection harder, especially when paired with advanced laundering techniques such as token mixing and the use of decentralized finance (DeFi) protocols to layer transactions.

The incident raises tough questions for the crypto industry, particularly about identity verification, hiring remote workers, and access control. Although blockchain-based companies prioritize decentralization and hiring talented staff globally, this approach heightens exposure to sophisticated fraud. The stolen funds, worth approximately $915,000 at the time, are still being tracked across exchanges. The DOJ and FBI are collaborating with international law enforcement and private blockchain analytics firms to recover the assets.