Domino Zone

How North Korean IT Workers Use Crypto to Launder Billions Amid Global Sanctions

single-post-img

Dec, 31 2025

On February 12, 2025, crypto exchange Bybit lost $1.4 billion in a single attack. But this wasn’t a hack by a shadowy gang of coders in a basement. It was the work of someone sitting at a desk in a quiet apartment in Beijing, pretending to be a freelance developer from Canada. Their name? Joshua Palmer. Their real identity? A North Korean IT worker paid by the state to launder money through cryptocurrency.

This isn’t an outlier. It’s the new normal. North Korea’s regime, under Kim Jong Un, has shifted from hacking exchanges to hiring itself out. And they’re winning.

How North Korea’s IT Worker Scheme Works

North Korea doesn’t just steal crypto anymore. They get paid to work.

Through front companies like Chinyong Information Technology Cooperation Company - sanctioned by the U.S. Treasury in July 2025 - the DPRK sends IT professionals overseas under fake identities. These workers apply for remote jobs on platforms like Upwork, Toptal, and LinkedIn. They don’t ask for high pay. They ask for less. Often 20-30% below market rate. That’s how they get hired.

Once hired, they request payment in USDT or USDC. Why? Because stablecoins don’t swing in value like Bitcoin. They’re easy to move, easy to trade, and easy to turn into cash through over-the-counter (OTC) traders who don’t ask questions.

These workers aren’t doing one-off gigs. They’re on salary. Blockchain analysis shows consistent payments of around $5,000 every month. That’s not freelance income. That’s a government payroll.

Then comes the laundering. Funds are split across dozens of wallets, moved through Russian and UAE-based servers, mixed with legitimate transactions, and eventually funneled into accounts controlled by sanctioned North Korean operatives like Kim Sang Man and Sim Hyon Sop. The money doesn’t disappear. It just changes hands - and becomes clean.

Why Stablecoins Are the Weapon of Choice

Bitcoin is too volatile. Ethereum is too traceable. But USDT? USDC? Perfect.

Stablecoins are pegged to the U.S. dollar. That means when a North Korean worker gets paid $5,000 in USDT, they know exactly how much fiat that equals. No guesswork. No risk.

And because stablecoins are issued by centralized entities like Tether and Circle, they’re accepted by OTC desks that operate outside traditional banking. These desks - often based in Dubai, Moscow, or even Manila - take the crypto, convert it to cash, and wire it to shell companies tied to the North Korean regime.

The U.S. Treasury confirmed in June 2025 that DPRK officials use stablecoins specifically to buy military supplies: copper for munitions, rare earth metals for missiles, and components for nuclear warheads. Every dollar laundered through USDT is funding weapons that threaten global security.

The Deepfake Lie: How They Fool Employers

Imagine hiring a developer. You do a video call. They’re polite. They answer questions well. Their resume looks solid - MIT graduate, worked at Google, fluent in five languages. You sign the contract. You pay them in crypto. Two months later, they vanish.

That’s not luck. That’s AI.

North Korean operatives use deepfake software to mimic voices, faces, and even body language. They record real people speaking, then use AI to generate new video responses in real time during Zoom calls. Some use multiple devices to simulate different IP addresses, making it look like they’re working from Canada, then Germany, then Poland - all in the same week.

According to the RCMP’s July 2025 advisory, 92% of verified DPRK IT worker applications contained forged diplomas or employment records. One Canadian tech startup lost $280,000 after hiring a worker who appeared to be a Ukrainian developer. The video calls? All deepfakes. The work? Mostly stolen data and backdoor access. The payment? Sent to a crypto wallet that vanished into the blockchain.

A glitching deepfake developer on Zoom, with multiple faces and crypto wallets floating toward a regime funnel in classic Fleischer style.

How Much Money Are They Making?

At least $1.65 billion. That’s what the Multilateral Sanctions Monitoring Team (MSMT) reported for just the first nine months of 2025.

That’s more than double what they made in 2023. And it’s not all from hacks. In fact, only 38% of North Korea’s crypto income now comes from direct exchange breaches. The other 43%? From IT workers.

Their biggest single payout? The $1.4 billion Bybit heist. But their most dangerous tactic? The steady drip-feed. Small payments. Regular jobs. No headlines. No panic. Just money flowing into the regime’s war machine.

Compare that to the Lazarus Group’s $625 million Harmony Bridge hack in 2022. That was a flash flood. This is a slow leak - and harder to stop.

Who’s Getting Hit?

It’s not just big exchanges. It’s small startups. Freelance agencies. Remote-first companies in New Zealand, Poland, Kenya, and Brazil.

Companies looking to cut costs hire remote workers. North Korea exploits that. They don’t need to break into your system. They just need to get hired.

According to the Canadian Anti-Fraud Centre, businesses lose an average of $47,000 per incident. In 78% of cases, the payment was made in cryptocurrency. And once it’s sent? Gone. No chargebacks. No refunds. Just a blockchain transaction that can’t be undone.

One U.S. company hired a "Python developer" from Ukraine. They paid $120,000 in USDC over six months. The worker delivered code - but it contained hidden backdoors. When the company tried to audit their system, they found the worker had accessed customer databases, employee emails, and internal API keys. The worker disappeared. The data? Still in North Korean hands.

A serpent made of blockchain trails swallows crypto payments from global startups, with a deepfake face as its head in vintage cartoon style.

How to Protect Your Business

If you’re hiring remote IT workers, here’s what you need to do - right now.

  • Never pay in cryptocurrency. Even if they insist. Even if they say it’s "faster" or "cheaper." Use bank transfers. Use PayPal. Use Stripe. Anything but crypto.
  • Verify identities in real time. Do video calls. Then do another one a week later. Use different platforms. If they’re using AI deepfakes, they’ll slip up. One platform might capture a glitch. Another might catch a mismatched blink rate.
  • Check education and employment history. Call the university. Email the previous employer. North Korean applicants often list fake schools like "Harvard Online" or "Stanford Global Campus." Real universities have public directories. Use them.
  • Look for red flags. Multiple logins from different countries in one day. No signed contract before payment. Willingness to work for 30% below market rate. These aren’t quirks. They’re warning signs.
  • Use blockchain analytics tools. If you do pay in crypto (don’t), trace the wallet. Tools like Chainalysis and Elliptic can flag wallets linked to known DPRK laundering addresses. If the money goes to a wallet that’s been flagged by OFAC? Stop. Immediately.

Companies that follow these steps reduce their risk of infiltration by 63%, according to a U.S. Treasury analysis from August 2025. It’s not hard. It just takes discipline.

The Bigger Picture: Why This Matters

This isn’t about fraud. It’s about survival.

North Korea is under crippling sanctions. No trade. No banking. No access to global markets. But they’ve found a loophole: the internet.

They’re not just stealing money. They’re building a parallel economy. One where their workers are invisible, their payments are untraceable, and their weapons are funded by your payroll.

The U.S., Japan, and South Korea issued a joint warning in July 2025. The FATF updated its global guidelines on virtual assets. The FBI seized over $7.7 million in crypto and NFTs tied to these schemes. The State Department is offering $15 million for information.

But here’s the truth: as long as crypto remains anonymous, as long as companies hire without verification, and as long as stablecoins can be traded without KYC - this will keep happening.

North Korea didn’t invent crypto laundering. They perfected it. And they’re not stopping.

What’s Next?

The Treasury Department’s FinCEN is building a prototype system set to launch in Q1 2026 that can identify DPRK-linked crypto wallets with 89% accuracy. That’s promising. But it’s reactive.

The real solution? Prevention. Better hiring. Stronger verification. No crypto payments.

By Q4 2026, experts predict a 25-30% drop in successful DPRK infiltrations - not because the regime is weaker, but because companies are finally waking up.

But if you’re still paying remote workers in USDT? You’re still part of the problem.

Tags: