The U.S. Department of Justice (DoJ) said it has filed a civil forfeiture complaint in federal court that targets over $7.74 million in cryptocurrency, non-fungible tokens (NFTs), and other digital assets allegedly linked to a global IT worker scheme orchestrated by North Korea.
“For years, North Korea has exploited global remote IT contracting and cryptocurrency ecosystems to evade U.S. sanctions and bankroll its weapons programs,” said Sue J. Bai, Head of the Justice Department’s National Security Division.
The Justice Department said the funds were originally restrained in connection with an April 2023 indictment against Sim Hyon-Sop, a North Korean Foreign Trade Bank (FTB) representative who is believed to have conspired with the IT workers.
The IT workers, the department added, gained employment at U.S. cryptocurrency companies using fake identities and then laundered their ill-gotten gains through Sim to further Pyongyang’s strategic objectives in violation of the sanctions imposed by the U.S. Treasury’s Office of Foreign Assets Control (OFAC) and the United Nations.
The fraudulent scheme has evolved into a massive operation since its origins way back in 2017. The illegal employment operation leverages a combination of stolen and fictitious identities, aided with the help of artificial intelligence (AI) tools like OpenAI ChatGPT, to bypass due diligence checks and secure freelance jobs.
Tracked under the monikers Wagmole and UNC5267, the activity is assessed to be affiliated with the Workers’ Party of Korea and is viewed as a methodically engineered strategy to embed IT workers inside legitimate companies to draw a steady source of revenue for North Korea.
Besides misrepresenting identities and locations, a core aspect of the operation involves recruiting facilitators to run laptop farms across the world, enable video interview stages, as well as launder the proceeds back through various accounts.
One such laptop farm facilitator was Christina Marie Chapman, who pleaded guilty earlier this February for her involvement in the illicit revenue regeneration scheme. In a report published last month, The Wall Street Journal revealed how a LinkedIn message in March 2020 drew Chapman, a former waitress and massage therapist with over 100,000 followers on TikTok, into the intricate scam. She is scheduled to be sentenced on July 16.
“After laundering these funds, the North Korean IT workers allegedly sent them back to the North Korean government, at times via Sim and Kim Sang Man,” the DoJ said. “Kim is a North Korean national who is the chief executive officer of ‘Chinyong,’ also known as ‘Jinyong IT Cooperation Company.'”
An analysis of Sim’s cryptocurrency wallet by TRM Labs has revealed that it has received more than $24 million in cryptocurrency from August 2021 to March 2023.
 |
| North Korea Organizational assessment |
“Most of these funds were traced back to Kim’s accounts, which were opened using forged Russian identity documents and accessed from Korean-language devices operating from the U.A.E. and Russia,” TRM Labs said. “Sim, a North Korean official, operated out of Dubai and maintained a self-hosted wallet that received laundered funds from dozens of sources.”
Kim, from his base in Vladivostok, Russia, acted as an intermediary between the IT workers and FTB, using two accounts to collect funds from them and re-distribute the proceeds to Sim and to other wallets connected to North Korea.
Cybersecurity company DTEX has characterized the IT worker threat as a state-sponsored crime syndicate that’s mainly geared towards sanctions evasion and generating profits, with the threat actors gradually shifting from laptop farms to using their own machines as part of companies’ Bring Your Own Device (BYOD) policies.
“Opportunity is really their only tactic and everything is treated as a tool of some sort,” Michael Barnhart, DTEX Principal i3 Insider Risk Investigator at DTEX Systems, told The Hacker News.
“If the focus is on laptop farms, which has been very good in getting that word out there, then naturally this opportunistic nation wants to gravitate to where the path is much easier if it is impacting operations. Until laptop farms are no longer effective at all, then that will still be an option, but abuse of BYOD was something that DTEX had seen in investigations and wasn’t publicized as much as the farms were.”
DTEX further pointed out that these IT workers could fall under either of the two categories: Revenue IT workers (R-ITW) or malicious IT workers (M-ITW), each of which has their own function within North Korea’s cyber structure.
While R-ITW personnel are said to be less privileged and primarily motivated to make money for the regime, M-ITW actors go beyond revenue generation by extorting a victim client, sabotaging a cryptocurrency server, stealing valuable intellectual property, or executing malicious code in an environment.
Chinyong, per the insider risk management firm, is one of the many IT companies that has deployed its workers in a combination of freelance IT work and cryptocurrency theft by leveraging their insider access to blockchain projects. It operates out of China, Laos, and Russia.
Two individuals associated with Chinyong-related IT worker efforts have been unmasked as having used the personas Naoki Murano and Jenson Collins to raise funds for North Korea, with Murano previously linked to a $6 million heist at crypto firm DeltaPrime in September 2024.
“Ultimately, the detection of DPRK-linked laptop farms and remote worker schemes requires defenders to look beyond traditional indicators of compromise and start asking different questions – about infrastructure, behavior, and access,” security researcher Matt Ryan said. “These campaigns aren’t just about malware or phishing; they’re about deception at scale, often executed in ways that blend seamlessly with legitimate remote work.”
Further investigation into the sprawling multi-million dollar fraud has uncovered several accounts tied to fake domains set up for the various front companies used to provide fake references to the IT workers. These accounts were infected with information-stealing malware, Flashpoint noted, enabling it to flag some aspects of their tradecraft.
The company said it identified a compromised host located in Lahore, Pakistan, that contained a saved credential for an email account that was used as a point of contact when registering the domains associated with Baby Box Info, Helix US, and Cubix Tech US.
On top of that, browser history captured by the stealer malware in another instance has captured Google Translate URLs related to dozens of translations between English and Korean, including those related to providing falsified job references and shipping electronic devices.
That’s not all. Recent research has also laid bare a “covert, multi-layered remote-control system” used by North Korean IT workers to establish persistent access to company-issued laptops in a laptop farm while being physically located in Asia.
“The operation leveraged a combination of low-level protocol signaling and legitimate collaboration tools to maintain remote access and enable data visibility and control using Zoom,” Sygnia said in a report published in April 2025. “The attack chain […] involved the abuse of ARP packets to trigger event-based actions, a custom WebSocket-based command-and-control (C2) channel, and automation of Zoom’s remote-control features.”
“To further enhance stealth and automation, specific Zoom client configurations were required. Settings were meticulously adjusted to prevent user-facing indicators and audio-visual disturbances. Users were persistently signed in, video and audio were automatically muted upon joining, participant names were hidden, screen sharing initiated without visible indicators, and preview windows disabled.”
Running complementary to Wagemole is another campaign referred to as Contagious Interview (aka DeceptiveDevelopment, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi) which primarily conducts malicious activity targeting developers to gain unauthorized company access as opposed to gaining employment.
“Gwisin Gang frankly are IT workers that instead of taking the long process of applying for a job, they target someone who already had the job,” Barnhart said. “They do appear elevated and unique in that they have malware usage that echoes this notion as well. IT workers is an overarching term though and there are many styles, varieties, and skill levels amongst them.”
As for how the IT worker scheme could evolve in the coming years, Barnhart points to the traditional financial sector as the target.
“With the implementation of blockchain and Web3 technologies into traditional financial institutions, I think all the DPRK cyber assets in that space are going to be aiming to have a run on these companies the way it was happening in years past,” Barnhart pointed out. “The more we integrate with those technologies, the more careful we have to be as DPRK is very entrenched.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Leave feedback about this