North Korea’s Crypto Cloaking: How Hackers Are Still Cashing In Despite Sanctions
Despite years of global sanctions, North Korea continues to exploit the cryptocurrency ecosystem to secretly fund its weapons programs — and the U.S. government is cracking down hard.
A new report by blockchain analytics firm TRM Labs reveals how North Korean operatives, posing as remote IT workers, infiltrated tech and crypto companies to earn millions in stablecoins like USDC and USDT.
The scheme, orchestrated by cybercriminal Song Kum Hyok, relied heavily on fake identities, stolen U.S. documents, and global support networks stretching across Russia, China, and the UAE.
The U.S. Treasury's Office of Foreign Assets Control (OFAC) sanctioned Song on July 8, linking him to the notorious Andariel group — a cybercrime arm of North Korea’s military intelligence. Investigators say Song helped deploy North Korean agents into freelance roles at American blockchain startups, often under names like “Joshua Palmer” and “Alex Hong.”
Once hired, these operatives worked in positions involving blockchain development and Web3 infrastructure. Payments were sent in crypto, routed through complex layers of wallets, mixers, and over-the-counter (OTC) brokers — some already under sanction — and ultimately funneled to Pyongyang.
“These fake developers worked under the radar for months, sometimes years,” said TRM analysts. “The deception was so advanced that even employment verification systems were fooled.”
The U.S. Department of Justice (DOJ) also stepped in, filing a civil forfeiture complaint in June 2025 to seize over $7.7 million in digital assets linked to the scheme, including NFTs, ETH, and stablecoins.
Several intermediaries, including a Russia-based network of companies, were also sanctioned for knowingly helping launder funds and manage the fake job contracts.
What’s alarming, experts say, is the growing sophistication of North Korea’s crypto laundering tactics.