How Fake Identities Helped North Korean It Workers Infiltrate US Crypto Firms

North Korean IT workers were government-linked tech specialists trained to earn income for the regime, targeting U.S. blockchain and tech firms. 

Some of the main tools they used included:

Fake résumés and identity documents: They claimed to be remote workers from Canada, Australia, or the UAE and listed skills in blockchain development.

• English-language profiles: Their online accounts showed experience in decentralized finance (DeFi) and smart contracts, written in polished English to look trustworthy.
• VPNs: These tools hid their internet location and made it look like they were working from safer regions.
• AI-assisted coding tasks: They used artificial intelligence (AI) tools to automate parts of their development work, making them appear faster and more technically capable.
• Fake tax forms: The IT workers sent W-9 forms using stolen Social Security numbers and U.S. addresses, sometimes tied to unrelated places like pizza shops.

To get around know your customer (KYC) checks, they:

• Uploaded stolen or fake IDs with real-looking selfies.
• Used email addresses linked to false names and fake locations.
• Logged in from IP addresses that matched the identities they claimed.

The main goal was to get paid in stablecoins like USDt and USDC without revealing who they were or where they were based. 

These tactics let them work as crypto developers for nearly two years without being caught. 

They then funneled the money back to North Korea to support the regime and its sanctioned programs, including weapons development.

Why They Chose Stablecoins Over Other Crypto or Fiat Currency

According to the DOJ, the fake workers preferred to be paid in stablecoins because their value stays steady. 

Unlike cryptocurrencies that rise and fall in price, stablecoins help protect the value of their earnings. 

The official filing also noted that stablecoins were easier to trade for cash through over-the-counter traders. That fiat currency was then used to buy goods and support the North Korean regime.

North Korean IT workers preferred stablecoins for salary payments and cash conversion. 

Other Crypto Assets Used in the Scheme

However, the DOJ filing shows they also used many other cryptocurrencies to move and hide money across wallets and blockchains.

These tokens helped store value, pay gas fees, and carry out complex laundering steps. The complaint includes a broad mix of digital assets. The following assets appear on the DOJ list:

• ETH (Ether)
• BTC (Bitcoin)
• BNB (Binance Coin)
• POL (Polygon)
• LTC (Litecoin)
• AVAX (Avalanche)
• FTM (Fantom)
• CRV (Curve DAO Token)

Smaller altcoins and meme tokens, including SMI, STARL, KUMA, DBUY, PERP, GTC, and ABGRT, also appear in the mix.

These assets moved through wallets, exchanges, and DeFi platforms, making tracing the funds’ origin and final destination harder.

Inside the Crypto Funnel: How Millions Were Laundered

The North Korean IT workers funneled their crypto payments through a deliberate and layered process, making use of.

• Multiple wallets: They began by moving funds across multiple wallet addresses, often breaking large transfers into smaller amounts to avoid detection. This tactic, known as structuring, made the money flow harder to trace.
• Mixers: Next, they used virtual currency mixers. These tools combine transactions from many sources to obscure where the funds came from. The goal was to erase the digital trail linking the payments to North Korea.
• Chain hopping: They also engaged in chain hopping by converting crypto assets across blockchains. For example, they could swap stablecoins on Ethereum for another token on Tron or BNB Chain. This added complexity and made tracking difficult using standard blockchain tools.
• Traders: In the final stage, the funds reached over-the-counter (OTC) traders. These traders converted the laundered crypto into fiat currency through private deals, and the money flowed back to North Korea.

What Fake Job Profiles Mean for Remote Work and Crypto Platforms

This case sets a precedent for the future of remote work in sensitive industries, especially when employers rely on limited checks before hiring freelance developers. It also shows how crypto’s open architecture and AI can be turned into tools for sanctioned regimes.

DOJ records describe large-scale coordination, including overseas laptop farms where teams worked together using shared credentials and fake documents. These units targeted crypto and tech firms that had little verification in place.

Authorities flagged a set of unhosted wallet addresses involved in the laundering scheme and either froze or seized their assets.

“All unhosted addresses are unhosted addresses from which law enforcement seized funds and/or requested a freeze of funds because the funds were involved in and/or proceeds of this money laundering conspiracy”, stated the DOJ.

Platforms like Binance, Tether, and Coinbase helped U.S. authorities by freezing accounts and tracing flows. 

The case could lead to tighter oversight of remote hiring platforms and crypto exchanges. Startups in Web3 and DeFi may face rising compliance costs. 

There are also growing demands for real-time blockchain monitoring tools that work across jurisdictions. 

The use of AI to enhance fraud has raised further concerns among investigators.

Conclusion

North Korean agents posed as U.S. tech workers and earned nearly $8 million in crypto through fake résumés, remote job platforms, and stablecoin payments. They submitted forged IDs, used VPNs to hide their real locations, and relied on stolen tax forms to pass verification. Payments were routed through mixers, swapped across blockchains, and converted into cash by over-the-counter traders.

The agents remained active for nearly two years before being caught. U.S. authorities traced their steps, froze assets, and exposed the laundering network. The case shows how hostile actors can exploit security gaps in hiring and payment systems based on crypto. 

Crypto and tech firms, including fintech,  must improve checks and track suspicious activity before they become new victims.

FAQs