The United States Department of Justice has filed a civil forfeiture complaint alleging that North Korean information technology workers obtained illegal employment and generated millions for the North Korean government as a means to avoid U.S. sanctions. The U.S. government was able to freeze and seize over $7.74 million tied to the scheme while the hackers were attempting to launder the funds. The complaint is the most recent legal development exposing North Korean operatives as the world’s leading bank robbers.

1. Introduction

In my last post to On The Wire I discussed what money laundering is and the various means that are commonly used to clean illicit funds. I emphasized the wide net of criminal liability cast by the Canadian Parliament in the text of the money laundering offence. (here) I characterized money laundering as transnational in scope. In this post I will move from that general discussion of the pervasiveness and clandestine nature of money laundering to a case specific example. I have selected a recent civil forfeiture complaint filed in the United States District Court for the District of Columbia to focus the discussion.

2. Background

On June 5, 2025, the U.S. Department of Justice filed a civil forfeiture complaint in the United States District Court for the District of Columbia in Washington, D.C. alleging that North Korean IT workers obtained illegal employment and amassed millions in cryptocurrency for the benefit of the North Korean government. The scheme was devised as a means to evade U.S. sanctions. (here) The funds were initially restrained in connection with an indictment unsealed on April 24, 2023, alleging that Sim Hyon Sop, a North Korean Foreign Trade Bank representative, conspired with the IT workers. (here) The funds were frozen by the U.S. government while the North Koreans were attempting to launder them. Over $7.74 million tied to the scheme was seized. (here)

3. The Complaint

The complaint contains a glossary of terminology that would be second nature to anyone who has conducted transactions in virtual currency. If, however, you are new to how cryptocurrency works, I will give you explanations of some terms taken from the complaint that may assist in understanding the core allegations.

• Virtual Currency: Virtual currencies are digital representations of value that, like traditional coin and paper currency, function as a medium of exchange (i.e., they can be digitally traded or transferred and can be used for payment or investment purposes). Virtual currencies are a type of digital asset separate and distinct from digital representations of traditional currencies, securities, and other traditional financial assets. The exchange value of a particular virtual currency generally is based on agreement or trust among its community of users. […] Cryptocurrencies, like Bitcoin and Ether, are types of cryptocurrencies, which rely on cryptography for security. Cryptocurrencies typically lack a central administrator to issue the currency and maintain payment ledgers. Instead, cryptocurrencies use algorithms, a distributed ledger known as a blockchain, and a network of peer-to-peer users to maintain an accurate system of payments and receipts. (cl. 42)
• Bitcoin: Bitcoin (or “BTC”) is a type of virtual currency. Unlike traditional, government-controlled currencies (i.e., fiat currencies), such as the U.S. dollar, Bitcoin is not managed or distributed by a centralized bank or entity. Because of that, Bitcoin can be traded without the need for intermediaries. Bitcoin transactions are approved/verified by computers running Bitcoin’s software. Those computers are called network nodes. Each node uses cryptography to record every Bitcoin transactions on the Bitcoin blockchain. The Bitcoin blockchain is a public, distributed ledger. Bitcoin can be exchanged for fiat currency, other virtual currencies, products, and services. (cl. 28)
• Blockchain: A blockchain is a digital ledger run by a decentralized network of computers referred to as “nodes.” Each node runs software that maintains an immutable and historical record of every transaction utilizing that blockchain’s technology. Many digital assets, including virtual currencies, publicly record all of their transactions on a blockchain, including all of the known balances for each virtual currency address on the blockchain. […] There are many different blockchains used by many different virtual currencies. For example, Bitcoin in its native state exists on the Bitcoin blockchain, while Ether (or “ETH”) exists in its native state on the Ethereum network.
• Blockchain Analysis: Law enforcement can trace transactions on blockchains to determine which virtual currency addresses are sending and receiving particular virtual currency. This analysis can be invaluable to criminal investigations for many reasons, including that it may enable law enforcement to uncover transactions involving illicit funds and to identify the person(s) behind those transactions. To conduct blockchain analysis, law enforcement officers use reputable, free open-source blockchain explorers, as well as commercial tools and services. The commercial tools are offered by different blockchain-analysis companies. Through numerous unrelated investigations, law enforcement has found the information associated with these tools to be reliable. In this case, law enforcement used blockchain tracing to uncover the connections between the Defendant Property and this North Korean IT worker conspiracy. (cl. 30)

The complaint alleges that the North Korean government used illegally obtained virtual currency as a means to produce revenue for priorities such as its nuclear weapons program. (here) The illegal currency was generated, in part, through remote work done by North Korean IT workers deployed worldwide including in China and Russia. To implement the scheme, the IT workers used fraudulent identification documents and other obfuscation strategies to bypass security and due diligence checks to obtain work and access financial services through unwitting employers. These tactics hid the North Koreans’ true location and identities causing employers in the U.S. to hire them and pay their salaries in violation of U.S. sanctions.

In order to send the illegally obtained virtual currency back to North Korea, the workers transferred the currency through a series of transactions designed to hide the source of the funds. Here are six money laundering techniques allegedly used: (a) setting up accounts with fictitious identities; (b) moving funds in a series of small amounts; (c) moving funds to other blockchains or converting funds to other forms of virtual currency (i.e., “chain hopping” and “token swapping,” respectively); (d) purchasing NFTs as a store of value and means of hiding illicit funds; (e) using U.S.-based online accounts to legitimize activity; and, (f) commingling the proceeds to hide the origin of the funds.

After laundering the funds, the IT workers would send them back to the North Korean government. Sometimes, the funds were sent by way of Sim Hyon Sop and Kim Sang Man. As I mentioned previously, Sim Hyon Sop is a North Korean official employed by North Korea’s Foreign Trade Bank. Kim Sang Man is a North Korean national who is the chief executive officer of “Chinyong,” also known as “Jinong IT Cooperation Company.” Chinyong is subordinate to North Korea’s Ministry of Defense which the U.S. Treasury Department’s Office of Foreign Assets Control added to its list of Specially Designated Nationals on June 1, 2017.

The property that is the subject of the complaint includes eight tranches of virtual currency that have either been seized and are in U.S. government wallets or have been frozen pending transfer to the government pursuant to this action.

4. Conclusion

The alleged illegal activities of the North Korean regime range from fraud and theft to narcotics production, human trafficking and arms dealing. Writing for the Financial Times, Owen Walker said North Korean groups stole $1.3 billion in cryptocurrency in 2024. The total value of the thefts by North Korean-affiliated groups, across 47 incidents in 2024, was more than double the amount they took the previous year. (here) According to data from Chainalysis, a blockchain research group, the hermit country now accounts for two-thirds of the cryptocurrency hacks worldwide. (here) After developing “an army of highly trained hackers over decades” North Korean operatives have emerged as the “the world’s leading bank robbers”. (here)