{
	"id": "4939bbbe-02ce-43a0-8fff-0509444c5bbb",
	"created_at": "2026-04-06T00:21:08.744056Z",
	"updated_at": "2026-04-10T13:12:11.437196Z",
	"deleted_at": null,
	"sha1_hash": "a0f6728080250ea7faf070f13d5196f4fa0b2d98",
	"title": "DOJ moves to claim $7.74 million tied to North Korean IT worker scheme",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74263,
	"plain_text": "DOJ moves to claim $7.74 million tied to North Korean IT worker\r\nscheme\r\nBy Jonathan Greig\r\nPublished: 2025-06-06 · Archived: 2026-04-05 21:13:02 UTC\r\nThe Department of Justice has filed a civil forfeiture complaint in federal court in connection with more than\r\n$7.74 million that was previously frozen and seized from North Koreans who allegedly obtained the money\r\nthrough the regime’s illicit IT worker scheme. \r\nThe funds are connected to Sim Hyon Sop, a North Korean Foreign Trade Bank representative who was allegedly\r\nconspiring with the IT workers from the country to launder money obtained through their illegal employment at\r\nU.S. companies. Sim was indicted in April 2023 after the federal government caught him attempting to launder the\r\nmoney. \r\n“For years, North Korea has exploited global remote IT contracting and cryptocurrency ecosystems to evade U.S.\r\nsanctions and bankroll its weapons programs,” said Sue Bai, head of the Justice Department’s National Security\r\nDivision.\r\nThe attempt to confiscate the funds, filed Thursday, “reflects the Department’s strategic focus on disrupting these\r\nillicit revenue schemes,” Bai said.\r\nCourt documents said the participants are able to send cryptocurrency back to North Korea by setting up accounts\r\nwith fake identities, moving funds in a series of small transactions, converting funds to other forms of\r\ncryptocurrency, purchasing NFTs, and using U.S.-based accounts to legitimize the activity. \r\nOnce the funds are commingled with other cryptocurrency and successfully laundered, they are sent to North\r\nKorea through Sim or Kim Sang Man, another North Korean official who runs an IT company working out of\r\nNorth Korea’s Ministry of Defense, the DOJ said.\r\nThe IT company, known as Chinyong, employs many North Korean IT workers who work in Russia and Laos.\r\nMany of the workers have been hired as developers, coders or as IT support staff at blockchain development\r\ncompanies and are paid in stablecoins such as USDC and USDT, the DOJ said. \r\nCryptocurrency firm TRM Labs tracked wallets associated with Sim and found more than $24 million received\r\nbetween 2021 and 2023. His accounts on unnamed cryptocurrency platforms were opened using “forged Russian\r\nidentity documents and accessed from Korean-language devices operating from the UAE and Russia.”\r\nTRM Labs found that Sim and Kim “functioned as central clearinghouses for the illicit proceeds” — with Sim\r\noperating out of Dubai and Kim operating out of Vladivostok, Russia. \r\nSim held a wallet that received laundered funds from dozens of sources while Kim ran two accounts that collected\r\nand redistributed funds to Sim and other wallets. \r\nhttps://therecord.media/north-korea-it-worker-scams-doj-civil-forfeiture-claim\r\nPage 1 of 3\n\nA substantial portion of Sim’s wallet balance “was later transferred to an over-the-counter trader based in the\r\nUAE, who was sanctioned by OFAC in December 2024 for converting illicit crypto proceeds into fiat currency,”\r\naccording to TRM Labs. \r\nThe Justice Department explained that the complaint and the indictments charging Sim are part of the larger\r\n“DPRK RevGen: Domestic Enabler Initiative” launched last year to disrupt the financial network built to support\r\nthe North Korean IT worker scheme. \r\nThe scheme has brought in millions for the North Korean regime and several Americans have been charged for\r\neither knowingly or unknowingly helping them pretend to work from the U.S. \r\nRoman Rozhavsky, assistant director of the FBI’s Counterintelligence Division, said its investigations have\r\nuncovered massive campaigns by North Korea to “defraud U.S. businesses by obtaining employment using the\r\nstolen identities of American citizens.”\r\nEmployment scammers continue to evolve in the tools they use. This week ChatGPT maker OpenAI said it\r\nidentified and banned accounts “associated with what appeared to be multiple suspected deceptive employment\r\ncampaigns.” The company said it couldn’t directly tie its discovery to North Korea, but the behavior appeared to\r\nbe consistent with schemes backed by the regime.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/north-korea-it-worker-scams-doj-civil-forfeiture-claim\r\nPage 2 of 3\n\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/north-korea-it-worker-scams-doj-civil-forfeiture-claim\r\nhttps://therecord.media/north-korea-it-worker-scams-doj-civil-forfeiture-claim\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/north-korea-it-worker-scams-doj-civil-forfeiture-claim"
	],
	"report_names": [
		"north-korea-it-worker-scams-doj-civil-forfeiture-claim"
	],
	"threat_actors": [],
	"ts_created_at": 1775434868,
	"ts_updated_at": 1775826731,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a0f6728080250ea7faf070f13d5196f4fa0b2d98.pdf",
		"text": "https://archive.orkl.eu/a0f6728080250ea7faf070f13d5196f4fa0b2d98.txt",
		"img": "https://archive.orkl.eu/a0f6728080250ea7faf070f13d5196f4fa0b2d98.jpg"
	}
}