Key takeaways
Four North Korean operatives infiltrated crypto firms by posing as freelance developers using stolen and fake identities, highlighting flaws in remote hiring and background verification.
In June 2025, the US Department of Justice (DOJ) indicted the four individuals as part of its broader DPRK RevGen initiative, targeting domestic enablers and foreign operatives aiding North Korea’s crypto crimes.
Remote hiring and a lack of due diligence make crypto startups highly vulnerable to insider threats and state-sponsored hacks.
Stronger identity checks, smart contract access controls, FATF Travel Rule compliance and threat modeling for insider risks are essential defenses against sophisticated attacks.
In a significant case of cybercrime with geopolitical stakes, four North Korean individuals infiltrated a US-based blockchain startup and a Serbian virtual token company by posing as remote IT workers, using stolen and fabricated identities. After joining, they abused their trusted roles to steal over $900,000 in cryptocurrency.
This was not a typical theft but reportedly part of a broader North Korean government plot to secretly finance its illegal weapons programs through cryptocurrency operations. This incident reveals weaknesses in remote hiring processes and underscores how sanctioned nations are increasingly using digital currencies as tools for economic warfare.
This article explores how the North Korean agents were able to join the global workforce, the crackdown of the Department of Justice (DOJ) on the network behind crypto thefts and how North Korea evades economic sanctions.
Who were the perpetrators behind the crypto theft
Four North Korean nationals — Kim Kwang Jin, Kang Tae Bok, Jong Pong Ju and Chang Nam Il — carried out the cryptocurrency theft. They posed as freelance IT workers, using false names like “Bryan Cho” and “Peter Xiao” to hide their true identities and North Korean origins.
Their scheme was carefully planned over the years, starting in 2019 when they traveled to the United Arab Emirates (UAE) using North Korean documents. They formed a coordinated cyber team and began targeting cryptocurrency companies in the US and Serbia.
Blending into the global remote workforce gave them trusted access to legitimate businesses, enabling highly sophisticated digital theft. Their actions were part of a larger North Korean effort to fund state-sponsored cyber and weapons programs through cryptocurrency fraud.
Did you know? Microsoft Threat Intelligence identified Sapphire Sleet as a North Korean hacking group heavily involved in stealing cryptocurrency and infiltrating businesses.
How did North Korean operatives get into the crypto firms
In October 2019, four North Korean operatives traveled to the UAE using North Korean documents and formed a coordinated cyber team. Their goal was to infiltrate cryptocurrency companies abroad to access valuable digital assets.
In December 2020, Kim Kwang Jin, using the stolen identity of an American citizen known as “PS,” was hired as a developer by an Atlanta-based blockchain research company.
In May 2021, Jong Pong Ju joined a Serbian virtual token company under the alias “Bryan Cho.”
Both hid their North Korean origins by submitting fraudulent identity documents that mixed stolen data with forged details, successfully deceiving their employers. This allowed them access to critical back end systems. Later, Jong Pong Ju recommended “Peter Xiao,” who was actually their accomplice Chang Nam Il, for a position at the Serbian firm.
In 2022, the agents committed the theft: Jong Pong Ju stole $175,000 in February, and Kim Kwang Jin stole $740,000 in March by modifying smart contract code. The stolen cryptocurrency was laundered through mixers and transferred to accounts controlled by Kang Tae Bok and Chang Nam Il, which were set up using fake Malaysian IDs.
Timeline of stolen funds by North Korean agents
Here is a timeline highlighting key instances where North Korean state-sponsored agents engaged in sophisticated cyber heists:
October 2019: Four North Korean operatives traveled to the UAE and formed a coordinated cyber team to target cryptocurrency firms for access to digital assets.
December 2020: Kim Kwang Jin, using the stolen identity of a US individual known as “PS,” was hired as a remote developer by an Atlanta-based blockchain research and development company, gaining access to critical back end systems.
May 2021: Jong Pong Ju, under the alias “Bryan Cho,” secures employment at a Serbian virtual token firm, obtaining access to the company’s back end systems.
Sometime in 2021: Jong Pong Ju recommends “Peter Xiao,” who is Chang Nam Il, for a position at the Serbian firm, further embedding the operatives within the company.
February 2022: Jong Pong Ju steals $175,000 in cryptocurrency from the Serbian virtual token firm.
March 2022: Kim Kwang Jin steals $740,000 in cryptocurrency from the Atlanta-based blockchain company by altering smart contract code.
Post-theft (2022): The stolen cryptocurrency, totaling $915,000, is laundered through mixers and transferred to accounts controlled by Kang Tae Bok and Chang Nam Il, which were set up using fake Malaysian IDs.
Did you know? North Korea sends thousands of IT workers worldwide, including to Russia and China, to earn money for the regime. These workers use AI-generated profiles and stolen identities to get high-paying tech jobs. Once employed, they steal intellectual property, extort their employers and send the money back to North Korea.
DOJ’s crackdown on the network behind large-scale crypto thefts
On June 24, 2025, federal prosecutors from the Northern District of Georgia detailed charges against four North Korean operatives for five counts of wire fraud and money laundering, marking a key step in their efforts to combat state-sponsored cybercrime.
The charges were part of the DOJ’s DPRK RevGen: Domestic Enabler Initiative, started in 2024 to disrupt North Korea’s illegal revenue-generating activities, especially those targeting US businesses and infrastructure.
In March 2024, the National Security Division and the Federal Bureau of Investigation (FBI)’s Cyber and Counterintelligence Divisions jointly launched the initiative. This program directs federal prosecutors and agents to focus on high-priority, strategic and coordinated operations. These efforts aim to disrupt North Korea’s illegal revenue-generating methods and target individuals within the US who facilitate these activities.
The investigation into the $900,000 cryptocurrency theft triggered a major enforcement operation across 16 US states. Federal agents seized 29 financial accounts, 21 fraudulent websites and about 200 computers used in “laptop farms,” which enabled North Korean IT workers to impersonate US-based developers and infiltrate companies remotely.
The DOJ states that these activities directly fund North Korea’s nuclear weapons and missile programs. By exploiting vulnerabilities in the cryptocurrency sector such as remote hiring, identity verification and decentralized finance, North Korea remains a significant and sophisticated threat to global digital security.
Role of crypto in North Korean sanctions evasion
Cryptocurrency has emerged as a key tool for North Korea to bypass international sanctions and finance its weapons programs. Reports from the Financial Action Task Force (FATF) and blockchain analytics firm Chainalysis indicate North Korea skillfully uses digital assets to evade traditional financial restrictions. The regime uses cryptocurrency’s anonymity, global reach and lack of centralized control to transfer and launder large sums without detection.
A significant example is the $1.46 billion hack of the Bybit cryptocurrency exchange, linked to the Lazarus Group, a North Korean state-sponsored hacking unit. These hackers frequently use crypto mixers, anonymity-focused coins and poorly regulated crypto exchanges to hide the source of stolen funds. Once laundered, these assets support North Korea’s illicit activities, including nuclear weapons development.
The FATF emphasizes that North Korea’s increasing reliance on cryptocurrency poses a serious and growing threat. As traditional financial systems become more restricted, North Korea views cryptocurrency not only as a way to circumvent sanctions but also as a critical tool for its economic survival and geopolitical strategy.
Did you know? Lazarus Group has a string of crypto heists to its name, including Bybit, WazirX, Stake.com, CoinEx, Ronin Bridge and Atomic Wallet.
What crypto startups are easy targets for hackers
Cryptocurrency startups, with their high-value digital assets and decentralized systems, are prime targets for cybercriminals. Their innovative yet often vulnerable structures make them susceptible to sophisticated attacks, particularly from state-sponsored groups like North Korea’s Lazarus Group. Several factors contribute to this vulnerability, exposing gaps in the startups’ operational and security practices:
Remote hiring and lack of due diligence on developers: Crypto startups often rely on remote hiring to quickly build teams, but inadequate background checks allow malicious actors to infiltrate as developers. Fraudulent identities, like those used by North Korean operatives in the $900,000 heist, exploit this weakness to access sensitive systems.
Cost-cutting leads to hiring unverifiable IT workforce: To reduce expenses, startups frequently hire cheaper, offshore developers with unverified credentials. This practice increases the risk of employing individuals with malicious intent, as seen in cases like the Bybit $1.46 billion hack.
Cultural preference for async work reduces in-person vetting: The crypto industry’s emphasis on asynchronous, remote work minimizes face-to-face interactions, making it easier for hackers to pose as legitimate employees without undergoing rigorous in-person verification.
Weak smart contract security: Many crypto startups deploy poorly audited smart contracts, which hackers exploit using techniques like reentrancy attacks or code vulnerabilities.
What you can learn from the North Korean hacking incident
North Korean operatives’ $900,000 cryptocurrency theft is a critical warning for the entire crypto industry. Here are key lessons for startups and the broader sector:
For crypto startups
Strengthen identity verification and background checks: Accepting basic documents without scrutiny opens the door to sophisticated fraud.
Don’t depend solely on remote interactions: Relying on remote interviews for critical roles like developers or DevOps, especially those with access to core systems, may put your cybersecurity at risk.
Implement strict access controls: Stringent access controls for smart contracts and wallet systems ensure developers have limited privileges and are closely monitored.
For the broader industry
Improve compliance with FATF’s Travel Rule: Strengthen compliance with FATF’s Travel Rule and implement thorough Know Your Customer (KYC) protocols to block bad actors from exploiting regulatory weaknesses.
Conduct regular onchain audits: Perform regular onchain audits to identify suspicious fund movements before they cause significant harm.
Develop threat models for insider risks: Create threat models to address risks that could emerge from your staff, particularly in remote and hybrid work settings.
In an industry built on trustless technology, trust in personnel remains crucial. This incident highlights that robust cyber hygiene, thorough identity vetting, and ongoing monitoring are vital for survival.