In brief
- Four North Korean agents allegedly used stolen identities to land remote IT jobs at a U.S. crypto startup.
- The group stole roughly $900,000 in two transactions and laundered crypto through sanctioned channels.
- Their operations are considered by authorities to be part of the DPRK's long-running strategy to fund their weapons programs.
Four North Korean nationals infiltrated an Atlanta-based blockchain startup and stole nearly $1 million in crypto by posing as remote developers, federal prosecutors from the Northern District of Georgia announced Monday, detailing charges from a five-count wire fraud and money laundering indictment.
The defendants first operated as a team in the UAE before infiltrating U.S. and Serbian crypto firms as remote IT workers. After gaining trust, they stole $175,000 and $740,000 in two separate 2022 incidents, laundering the funds through mixers and exchanges using fake identification documents.
Ostensibly dubbed as "North Korean IT workers," the alleged individuals operate by "embedding themselves within these organizations" to "gather intelligence, manipulate security protocols, and even facilitate insider breaches," Andrew Fierman, head of national security at blockchain analytics firm Chainalysis, told Decrypt.
The stolen crypto vanished through a maze of transactions designed to obscure its origin—a sophisticated playbook North Korea has refined over years of cybercriminal operations.
The DOJ did not immediately return Decrypt’s request for comment.
Standard operating procedure
These tactics form "a pattern that has increasingly become standard operating procedure," Fierman told Decrypt.
The threat actors get hired by using "falsified documentation" and "masking their North Korean nexus," Fierman explained.
Aside from sending their compensation "back to the regime," the workers also "patiently wait for the opportunity to access funds of the Web3 company they've infiltrated" to steal more, Fierman said.
The scheme exposes a vulnerability in crypto's remote-first culture, where firms hiring globally may skip background checks, allowing state-sponsored actors with fake identities to exploit gaps.
"Unfortunately, many teams avoid in-person meetings and prefer hiring more 'cheap' developers than hiring well-known guys in our sector," Vladimir Sobolev, threat researcher at blockchain security firm Hexens, told Decrypt. "This is a fundamental issue."
Describing North Korea's cyber operations as a "long-term endeavor," Sobolev notes that the country has been engaged in these activities for a long time, even "before the popularity of blockchain and Web3."
Broader scheme
Earlier this month, the federal prosecutors detailed in a civil action lawsuit how "tens of millions were exploited in a larger North Korean IT worker crypto scheme," Fierman said, sharing documents reviewed by Decrypt.
In a separate press release, the DOJ stated that it conducted coordinated raids across 16 states, seizing 29 financial accounts, 21 fraudulent websites, and approximately 200 computers from "laptop farms" supporting North Korean IT schemes, including the four aforementioned.
The enforcement actions revealed how North Korean agents used these laptop farms as remote access points, allowing operatives to modify smart contracts and drain crypto funds while appearing to work from U.S. locations.
"The ability for organizations to recognize these threats and protect their firm against them will be critical," Fierman warned.
Edited by Sebastian Sinclair