Department Files Civil Forfeiture Complaint Against More Than $7.74 Million Laundered on Behalf of the North Korean Government

            WASHINGTON – The Department of Justice filed a civil forfeiture complaint today in the U.S. District Court for the District of Columbia alleging that North Korean information technology (“IT”) workers obtained illegal employment and amassed millions in cryptocurrency for the benefit of the North Korean government, all as a means of evading U.S. sanctions placed on North Korea. The funds were initially restrained in connection with an April 2023 indictment against Sim Hyon Sop (“SIM”), a North Korean Foreign Trade Bank (FTB) representative, who was conspiring with the IT workers. While the North Koreans were attempting to launder those ill-gotten gains, the U.S. government was able to freeze and seize over $7.74 million tied to the scheme.

            Today’s action was announced by U.S. Attorney Jeanine Ferris Pirro, Matthew R. Galeotti Head of the Justice Department’s Criminal Division, Sue J. Bai Head of the Justice Department’s National Security Division, and FBI Special Agent in Charge Douglas S. DePodesta of the Chicago Field Office.

            “Crime may pay in other countries but that’s not how it works here,” said U.S. Attorney Pirro. “Any adversary who thinks they can benefit, financially, from executing a criminal scheme – whether directly or through the use of surrogates – had better rethink this ‘get rich quick’ strategy. It doesn’t work for the average citizen, and it certainly does not have a more positive outcome for foreign entities. Sanctions are in place against North Korea for a reason, and we will diligently investigate and prosecute anyone who tries to evade them. We will halt your progress, strike back, and take hold of any proceeds you obtained illegally.”

            “This forfeiture action highlights, once again, the North Korean government’s exploitation of the cryptocurrency ecosystem to fund its illicit priorities,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. “The Department will use every legal tool at its disposal to safeguard the cryptocurrency ecosystem and deny North Korea its ill-gotten gains in violation of U.S. sanctions.”

            “For years, North Korea has exploited global remote IT contracting and cryptocurrency ecosystems to evade U.S. sanctions and bankroll its weapons programs,” said Sue J. Bai, Head of the Justice Department’s National Security Division. “Today’s multimillion-dollar forfeiture action reflects the Department’s strategic focus on disrupting these illicit revenue schemes. We will continue to use every legal tool available to cut off the financial lifelines that sustain the DPRK and its destabilizing agenda.”

            “Attacks from foreign adversaries, to include the alleged theft of cryptocurrency, remains a top national security concern for the FBI and we will continue to defend the homeland by identifying and eliminating any illegal actions by North Korea that are in violation of vital sanctions laws,” said FBI Special Agent in Charge DePodesta. “Despite manipulative laundering techniques, this stands as one of the FBI’s first instances in which funds were successfully seized from North Korean IT workers before they could be used to undermine our nation’s safety. The FBI is committed to working with law enforcement networks around the world and committed prosecutorial partners to ensure that anyone who seeks to steal from or endanger the United States is brought to full justice.”

            According to the complaint, the North Korean government uses illegally obtained cryptocurrency as a means of generating revenue for its priorities. This illegally obtained cryptocurrency is generated, in part, through remote work done by North Korean IT workers deployed around the globe, including in the People’s Republic of China and the Russian Federation (Russia). Those IT workers have generated revenue for North Korea via their jobs at, among other places, blockchain development companies. To effectuate the scheme, these North Korean IT workers bypassed security and due diligence checks using fraudulent (or fraudulently obtained) identification documents and other obfuscation strategies. These tactics hid the North Koreans’ true location and identities, causing unwitting employers to hire these IT workers and often pay them in stablecoins, such as USDC and USDT.

            To send their illegally obtained cryptocurrency back to North Korea, the IT workers transferred the cryptocurrency using money laundering techniques. These techniques included: (1) setting up accounts with fictitious identities; (2) moving funds in a series of small amounts; (3) moving funds to other blockchains or converting funds to other forms of virtual currency (i.e., “chain hopping” and “token swapping,” respectively); (4) purchasing non-fungible tokens as a store of value and means of hiding illicit funds; (5) using U.S.-based online accounts to legitimize activity; and (6) commingling their fraud proceeds to hide the origin of the funds. After laundering these funds, the North Korean IT workers sent them back to the North Korean government, at times via SIM and Kim Sang Man (“KIM”). SIM is a North Korean official employed by North Korea’s Foreign Trade Bank (FTB). KIM is a North Korean national who is the chief executive officer of “Chinyong,” also known as “Jinyong IT Cooperation Company.” Chinyong is subordinate to North Korea’s Ministry of Defense (formerly known as the Ministry of the Peoples’ Armed Forces), which the Treasury Department’s Office of Foreign Assets Control (OFAC) added to its list of Specially Designated Nationals (SDN) on June 1, 2017.

            Chinyong employs delegations of North Korean IT workers that operate in, among other countries, Russia and Laos. KIM acts as an intermediary between the North Korean IT workers and North Korea’s FTB by sending funds from the North Korean IT workers to SIM.

            On April 24, 2023, OFAC added SIM to its SDN list. On May 23, 2023, OFAC added Chinyong and KIM to its SDN list.

            Today’s forfeiture action follows the Department’s announcement of two federal indictments charging SIM for allegedly conspiring (1) with North Korean IT workers to generate revenue through illegal employment at companies in the United States and abroad; and (2) with over-the-counter cryptocurrency traders to use stolen funds to buy goods for North Korea. The forfeiture action also follows on successful actions to disrupt North Korean revenue generation taken by the Department in May 2024, August 2024, December 2024, and January 2025. Those actions, launched by the National Security Division and the FBI’s Cyber and Counterintelligence Divisions, targeted U.S. persons facilitating remote IT work and their North Korean co-conspirators.

            The FBI Chicago Field Office and FBI’s Virtual Assets Unit (VAU) are investigating the cases associated with this complaint.

            Senior Counsel Jessica Peck of the Computer Crime and Intellectual Property Section, Trial Attorney Gregory J. Nicosia, Jr. of the National Security Division’s National Security Cyber Section, Trial Attorney Emma Ellenrieder of the National Security Division’s Counterintelligence and Export Control Section, and Assistant U.S. Attorneys Christopher Tortorice and Rick Blaylock are handling the prosecutions and forfeiture action. Significant assistance was provided by former FBI Supervisory Special Agent Chris Wong.

            The FBI, in conjunction with the State and Treasury Departments, issued a May 2022 advisory to alert the international community, private sector, and public about the North Korea IT worker threat. Updated guidance was issued in October 2023 by the United States and the Republic of Korea (South Korea), and in May 2024 by the FBI, which include indicators consistent with the North Korea IT worker fraud and the use of U.S.-based laptop farms. In January 2025, the FBI issued additional guidance regarding extortion and theft of sensitive company data by North Korean IT workers, along with recommended mitigations.