Department Files Civil Forfeiture Complaint Against Over $7.74M Laundered on Behalf of the North Korean Government

The Department of Justice filed a civil forfeiture complaint today in the U.S. District Court for the District of Columbia alleging that North Korean information technology (IT) workers obtained illegal employment and amassed millions in cryptocurrency for the benefit of the North Korean government, all as a means of evading U.S. sanctions placed on North Korea. The funds were initially restrained in connection with an April 2023 indictment against Sim Hyon Sop (Sim), a North Korean Foreign Trade Bank (FTB) representative who was allegedly conspiring with the IT workers. While the North Koreans were attempting to launder those ill-gotten gains, the U.S. government was able to freeze and seize over $7.74 million tied to the scheme.

“This forfeiture action highlights, once again, the North Korean government’s exploitation of the cryptocurrency ecosystem to fund its illicit priorities,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. “The Department will use every legal tool at its disposal to safeguard the cryptocurrency ecosystem and deny North Korea its ill-gotten gains in violation of U.S. sanctions.”

“For years, North Korea has exploited global remote IT contracting and cryptocurrency ecosystems to evade U.S. sanctions and bankroll its weapons programs,” said Sue J. Bai, Head of the Justice Department’s National Security Division. “Today’s multimillion-dollar forfeiture action reflects the Department’s strategic focus on disrupting these illicit revenue schemes. We will continue to use every legal tool available to cut off the financial lifelines that sustain the DPRK and its destabilizing agenda.”

“Crime may pay in other countries but that’s not how it works here,” said U.S. Attorney Jeanine Ferris Pirro for the District of Columbia. “Any adversary who thinks they can benefit, financially, from executing a criminal scheme – whether directly or through the use of surrogates – had better rethink this ‘get rich quick’ strategy. It doesn’t work for the average citizen, and it certainly does not have a more positive outcome for foreign entities. Sanctions are in place against North Korea for a reason, and we will diligently investigate and prosecute anyone who tries to evade them. We will halt your progress, strike back, and take hold of any proceeds you obtained illegally.”

“The FBI’s investigation has revealed a massive campaign by North Korean IT workers to defraud U.S. businesses by obtaining employment using the stolen identities of American citizens, all so the North Korean government can evade U.S. sanctions and generate revenue for its authoritarian regime,” said Assistant Director Roman Rozhavsky of the FBI Counterintelligence Division. “Today’s action shows the FBI will do everything in our power to protect Americans from being victimized by the North Korean government, and we ask all U.S. companies that employ remote workers to remain vigilant to this new and sophisticated threat.” 

According to the complaint, the North Korean government uses illegally obtained cryptocurrency as a means of generating revenue for its priorities. This illegally obtained cryptocurrency is allegedly generated, in part, through remote work done by North Korean IT workers deployed around the globe, including in the People’s Republic of China and the Russian Federation (Russia). Those IT workers have generated revenue for North Korea via their jobs at, among other places, blockchain development companies. To obtain employment, these North Korean IT workers allegedly bypassed security and due diligence checks using fraudulent (or fraudulently obtained) identification documents and other obfuscation strategies. These tactics hid the North Koreans’ true location and identities, causing unwitting employers to hire them and pay them a salary, often in stablecoins, such as USDC and USDT.

To send their illegally obtained cryptocurrency back to North Korea, the IT workers allegedly transferred the cryptocurrency using money laundering techniques. These techniques included: (1) setting up accounts with fictitious identities; (2) moving funds in a series of small amounts; (3) moving funds to other blockchains or converting funds to other forms of virtual currency (i.e., “chain hopping” and “token swapping,” respectively); (4) purchasing non-fungible tokens as a store of value and means of hiding illicit funds; (5) using U.S.-based online accounts to legitimize activity; and (6) commingling their fraud proceeds to hide the origin of the funds. After laundering these funds, the North Korean IT workers allegedly sent them back to the North Korean government, at times via Sim and Kim Sang Man (Kim). Kim is a North Korean national who is the chief executive officer of “Chinyong,” also known as “Jinyong IT Cooperation Company.” Chinyong is subordinate to North Korea’s Ministry of Defense (formerly known as the Ministry of the Peoples’ Armed Forces), which the Treasury Department’s Office of Foreign Assets Control (OFAC) added to its list of Specially Designated Nationals (SDN) on June 1, 2017.

Chinyong employs delegations of North Korean IT workers that operate in, among other countries, Russia and Laos. Kim allegedly acts as an intermediary between the North Korean IT workers and North Korea’s FTB by sending funds from the North Korean IT workers to Sim.

On April 24, 2023, OFAC added Sim to its SDN list. On May 23, 2023, OFAC added Chinyong and Kim to its SDN list.

Today’s forfeiture action follows the Department’s announcement of two federal indictments charging Sim for allegedly conspiring (1) with North Korean IT workers to generate revenue through illegal employment at companies in the United States and abroad; and (2) with over-the-counter cryptocurrency traders to use stolen funds to buy goods for North Korea. The forfeiture action also follows on successful actions to disrupt North Korean revenue generation taken by the Department in May 2024, August 2024, December 2024, and January 2025. Those actions, which are part of the Department-wide DPRK RevGen: Domestic Enabler Initiative launched in March 2024 by the National Security Division and the FBI’s Cyber and Counterintelligence Divisions, targeted U.S. persons facilitating remote IT work and their North Korean co-conspirators.

The FBI Chicago Field Office and FBI’s Virtual Assets Unit are investigating the cases associated with this complaint.

Senior Counsel Jessica Peck of the Computer Crime and Intellectual Property Section, Trial Attorney Gregory J. Nicosia Jr. of the National Security Division’s National Security Cyber Section, Trial Attorney Emma Ellenrieder of the National Security Division’s Counterintelligence and Export Control Section, and Assistant U.S. Attorneys Christopher Tortorice and Rick Blaylock for the District of Columbia are handling the prosecutions and forfeiture action. Significant assistance was provided by former FBI Supervisory Special Agent Chris Wong.

The FBI, in conjunction with the State and Treasury Departments, issued a May 2022 advisory to alert the international community, private sector, and public about the North Korea IT worker threat. Updated guidance was issued in October 2023 by the United States and the Republic of Korea (South Korea), and in May 2024 by the FBI, which include indicators consistent with the North Korea IT worker fraud and the use of U.S.-based laptop farms. In January 2025, the FBI issued additional guidance regarding extortion and theft of sensitive company data by North Korean IT workers, along with recommended mitigations.