North Korean Hackers Launder Millions in USDC, USDT via Crypto Jobs

Generated by AI AgentCoin World
Wednesday, Jul 16, 2025 10:45 am ET2min read
Aime RobotAime Summary

- North Korean hackers laundered millions in USDC/USDT via fake identities at crypto firms, using stolen U.S. data.

- U.S. Treasury sanctioned operatives like Song Kum Hyok and linked firms for placing North Korean workers in U.S. companies.

- Funds were routed through multi-layered wallets, mixers, and OTC brokers to convert into fiat, with some brokers already sanctioned.

- FBI and DOJ seized $7.7M in crypto/NFTs linked to the regime, disrupting their sanctions evasion tactics.

- TRM Labs warns companies to verify remote hires in blockchain sectors to prevent illicit activities.

North Korean hackers have been successfully laundering millions in USDC and USDT while working covertly for blockchain startups, according to a report by TRM Labs. These IT workers, who are actually North Korean operatives, have been placed in jobs at unsuspecting tech and crypto companies using stolen American identities and fake documents. Many of these jobs are in web3, crypto infrastructure, or blockchain-related software development. The workers operate from countries like China and Russia, pretending to be U.S.-based freelancers, and receive payments in stablecoins such as USD Coin (USDC) and Tether (USDT). The funds are then routed through layers of wallets, mixers, and conversion services before ending up in the hands of the North Korean regime.

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned a North Korean hacker, Song Kum Hyok, who is linked to Andariel, a cybercrime unit within North Korea’s military intelligence. Song played a key role in placing North Korean operatives into jobs at U.S. companies. The scheme involves fake personas built using stolen data from real U.S. citizens, allowing North Korean operatives to work for months or even years under false names. OFAC has also sanctioned four companies and one other person connected to a Russia-based network that allegedly helped manage these fake IT jobs. These businesses reportedly signed long-term contracts with DPRK-linked firms and were aware they were dealing with North Korean workers.

Many of the workers targeted jobs in the crypto sector specifically, where payments were easier to anonymize. Once the crypto was received, it was spread across several wallets and eventually converted into fiat using OTC brokers, some of whom have been previously sanctioned. The latest OFAC action followed a series of coordinated moves by U.S. agencies, including the Department of Justice and the FBI. On June 5, 2025, the DOJ filed a civil forfeiture complaint seeking to seize over $7.7 million in crypto, NFTs, and other digital assets believed to be linked to the same North Korean network. The workers used identities like “Joshua Palmer” and “Alex Hong” to get hired at crypto startups and other tech firms. They were paid in stablecoins, with proceeds routed through centralized exchanges, self-hosted wallets, and then on to higher-level regime figures like Kim Sang Man and Sim Hyon Sop, both already under U.S. sanctions.

The DOJ’s investigation revealed that parts of the operation relied on infrastructure based in Russia and the UAE. Investigators found the use of local IP addresses and forged documentation, which helped the North Korean workers hide their true identities. This underscored just how international the scheme had become. Blockchain data reviewed by TRM showed that once funds reached mid-level wallets, the money was split into smaller portions, routed through privacy-enhancing tools, and eventually exchanged for fiat via OTC desks. One of those OTC brokers had already been sanctioned by OFAC in late 2024. As for law enforcement efforts, the FBI and other agencies successfully seized a portion of the laundered digital assets, including USDC, ETH, and some high-value NFTs. The analysts described these seizures as part of a broader laundering strategy meant to break up the money trail and make detection far more difficult.

TRM Labs says the U.S. government’s latest action sends a message that crypto remains a high-risk channel for sanctions evasion, especially when it comes to North Korean operations. The blockchain

intel
firm warned that companies hiring remote developers — especially in the blockchain space — need to take extra care in verifying who they’re really dealing with. Deputy Secretary of the Treasury, Michael Faulkender, stated, “Treasury remains committed to using all available tools to disrupt the Kim regime’s efforts to circumvent sanctions through its digital asset theft, attempted impersonation of Americans, and malicious cyber-attacks.”

Comments



Add a public comment...
No comments

No comments yet