• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Intelligence
  • DOJ moves to seize $7.74M in crypto linked to North Korean IT worker scam

DOJ moves to seize $7.74M in crypto linked to North Korean IT worker scam

Pierluigi Paganini June 09, 2025

US seeks to seize $7.74M in crypto linked to North Korean fake IT worker schemes, per a new DOJ forfeiture complaint.

The DOJ filed a civil forfeiture complaint for $7.74M in crypto tied to North Korean fake IT worker schemes linked to the indictment of North Korean Foreign Trade Bank (FTB) representative Sim Hyon Sop.

The frozen funds include cryptocurrency, NFTs, and other digital assets.

“The Department of Justice filed a civil forfeiture complaint today in the U.S. District Court for the District of Columbia alleging that North Korean information technology (IT) workers obtained illegal employment and amassed millions in cryptocurrency for the benefit of the North Korean government, all as a means of evading U.S. sanctions placed on North Korea.” reads the press release published by DoJ. “The funds were initially restrained in connection with an April 2023 indictment against Sim Hyon Sop (Sim), a North Korean Foreign Trade Bank (FTB) representative who was allegedly conspiring with the IT workers. While the North Koreans were attempting to launder those ill-gotten gains, the U.S. government was able to freeze and seize over $7.74 million tied to the scheme.”

The DOJ complaint reveals that North Korea funds its priorities by illegally obtaining cryptocurrency, partly through IT workers secretly deployed abroad, including in China and Russia. These workers land remote jobs, often with blockchain firms, by using fake IDs and deceptive tactics to hide their true identities and locations. Unaware of the scheme, employers pay them in stablecoins like USDC and USDT, unknowingly fueling North Korea’s revenue stream.

North Korean IT workers allegedly laundered illicit crypto using fake identities, small transfers, chain hopping, NFT purchases, and used U.S. accounts to hide their origins. Once cleaned, the funds were funneled back to the regime, sometimes via Sim Hyon Sop and Kim Sang Man, CEO of Chinyong, a firm tied to North Korea’s Ministry of Defense and sanctioned by the U.S. since 2017.

“For years, North Korea has exploited global remote IT contracting and cryptocurrency ecosystems to evade U.S. sanctions and bankroll its weapons programs,” said Sue J. Bai, Head of the Justice Department’s National Security Division. “Today’s multimillion-dollar forfeiture action reflects the Department’s strategic focus on disrupting these illicit revenue schemes. We will continue to use every legal tool available to cut off the financial lifelines that sustain the DPRK and its destabilizing agenda.”

In May 2024, the Justice Department unsealed charges against an Arizona woman, a Ukrainian man, and three unidentified foreign nationals accused of aiding overseas IT workers, pretending to be U.S. citizens, to infiltrate hundreds of firms in remote IT positions. North Korea used this scheme to dispatch thousands of skilled IT workers globally, using stolen U.S. identities to infiltrate companies and raise revenue. The schemes defrauded over 300 U.S. companies, utilizing U.S. payment platforms, online job sites, and proxy computers. According to the DoJ, this is the largest scheme of this kind ever charged by US authorities.

The operations coordinated by the North Korean government took place between October 2020 and October 2023. Intelligence experts speculate the campaign was aimed at financing the government’s illicit nuclear program.

The defendant Christina Marie Chapman was arrested in May in Litchfield Park, Arizona, while Oleksandr Didenko was arrested in Poland a few days before. US authorities are requesting the extradition to the United States of Didenko.

Chapman faces charges of conspiracy to defraud the United States, wire fraud, bank fraud, aggravated identity theft, identity fraud, money laundering, operating an unlicensed money transmitting business, and unlawful employment of aliens.

The FBI also issued an advisory warning of the public and private sector of the threat posed to U.S. businesses by Information Technology (IT) workers from the Democratic People’s Republic of Korea (North Korea). 

In August, the U.S. Justice Department arrested Matthew Isaac Knoot (38) from Nashville (Tennessee) for operating a “laptop farm” that facilitated North Korea-linked IT workers in obtaining remote jobs with American companies.

The man was arrested for his efforts to generate revenue for North Korea’s illicit weapons program, which includes weapons of mass destruction (WMD).

US authorities accused Knoot of aiding North Korean IT workers in using a stolen identity to impersonate a U.S. citizen, hosting company laptops at his home, unauthorized software installation to facilitate access, and laundering payments for the remote work through accounts linked to North Korean and Chinese individuals.

“According to court documents, Knoot participated in a scheme to obtain remote employment with American and British companies for foreign information technology (IT) workers, who were actually North Korean actors.” reads the press release published by DoJ. “Knoot allegedly assisted them in using a stolen identity to pose as a U.S. citizen; hosted company laptops at his residences; downloaded and installed software without authorization on such laptops to facilitate access and perpetuate the deception; and conspired to launder payments for the remote IT work, including to accounts tied to North Korean and Chinese actors.”

North Korea has dispatched skilled IT workers abroad, mainly to China and Russia, to deceive global businesses into hiring them as freelance IT workers, generating revenue for its weapons programs. These IT workers use fake identities and online tactics to mask their true origins. According to a May 2022 advisory, they can earn up to $300,000 annually each.

An indictment in Tennessee reveals that Knoot aided North Korean IT workers by facilitating remote IT jobs at U.S. companies under the false pretense that they were U.S.-based. Knoot operated a “laptop farm” from July 2022 to August 2023, where he received laptops shipped to a fake identity, installed unauthorized software, and allowed North Korean workers in China to access U.S. company networks. Knoot was paid monthly by a foreign facilitator named Yang Di. His operations were raided in August 2023.

According to court documents, Knoot ran a “laptop farm” at his Nashville residences between approximately July 2022 and August 2023. The victim companies shipped laptops addressed to “Andrew M.” to Knoot’s residences. Following receipt of the laptops, and without authorization, Knoot logged on to the laptops, downloaded and installed unauthorized remote desktop applications, and accessed the victim companies’ networks, causing damage to the computers. The remote desktop applications enabled the North Korean IT workers to work from locations in China, while appearing to the victim companies that “Andrew M.” was working from Knoot’s residences in Nashville. For his participation in the scheme, Knoot was paid a monthly fee for his services by a foreign-based facilitator who went by the name Yang Di. A court-authorized search of Knoot’s laptop farm was executed in early August 2023.

It has been estimated that Knoot and his conspirators’ caused the targeted companies more than $500,000 in costs associated with auditing and remediating their devices, systems, and networks. Knoot, Di, and others conspired to commit money laundering by conducting financial transactions to receive payments from the victim companies, transfer the funds to Knoot and to accounts outside of the United States, in an attempt both to promote their unlawful activity and to hide that transferred funds were the proceeds of it.  The non-U.S. accounts include accounts associated with North Korean and Chinese actors.

The victims companies believed they were hiring a legitimate U.S. worker and shipped laptops to Knoot’s home. Then Knoot installed unauthorized software on the laptops to allow the North Korean IT workers to remotely login from locations in China.

Knoot is charged with conspiracy to cause damage to protected computers, conspiracy to launder monetary instruments, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity theft and conspiracy to cause the unlawful employment of aliens.” concludes DoJ. “If convicted, Knoot faces a maximum penalty of 20 years in prison, including a mandatory minimum of two years in prison on the aggravated identity theft count.””

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)


facebook linkedin twitter

Hacking hacking news information security news North Korea North Korean IT workers Pierluigi Paganini Security Affairs

you might also like

Pierluigi Paganini July 08, 2025
Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day
Read more
Pierluigi Paganini July 08, 2025
Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

    Security / July 08, 2025

    Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

    Intelligence / July 08, 2025

    U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

    Hacking / July 08, 2025

    IT Worker arrested for selling access in $100M PIX cyber heist

    Cyber Crime / July 08, 2025

    New Batavia spyware targets Russian industrial enterprises

    Malware / July 07, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT