North Korean cyber operatives have penetrated cryptocurrency companies, hacking millions by embedding themselves in companies. They collect counterintelligence, counteract security measures, and help with insider attacks. These workers take advantage of the remote-first culture, employ forged documentation, and disguise their North Korean ties to obtain work. They set up DIY laptop farms to develop remote learning access points. This lets them hack smart contracts and drain crypto funds, all while creating the appearance that they’re operating from within the U.S.

Modus Operandi: Infiltration and Exploitation

North Korean IT workers can falsify this documentation or hide their North Korean nexus in order to get hired. They take advantage of cracks in remote-first culture, where companies that are able to hire the best talent anywhere often don’t do background checks.

"falsified documentation" and "masking their North Korean nexus" - Andrew Fierman

North Korean IT workers running these scams set up laptop farms to act as remote access points for scammers. They alter smart contracts and drain crypto assets all while pretending to operate from U.S. jurisdictions. North Korea has been doing cyber operations for quite some time. This excitement-fueled activity started much earlier than the advent of blockchain and Web3.

North Korean IT workers initially functioned as a company of professionals in the UAE. From there, they were able to infiltrate U.S. and Serbian crypto companies under the guise of remote IT employees. North Korean operatives employed counterfeit identities to obtain virtual, IT employment—remotely—for a U.S.-based cryptocurrency company.

Crypto Heists and Money Laundering

North Korean IT workers hatched a crafty plan to steal almost $1 million in cryptocurrency. Their ruse — that they were remote developers at an Atlanta-based blockchain startup — worked. They stole roughly $900,000 in two transactions. They laundered crypto through sanctioned channels.

In 2020, North Korean IT workers stole $175,000 in a cyberheist and $740,000 in two different incidents in 2022. From there, they began laundering those funds through mixers and exchanges creating synthetic identity documents.

"embedding themselves within these organizations" to "gather intelligence, manipulate security protocols, and even facilitate insider breaches" - Andrew Fierman

Crackdown and Long-Term Implications

On February 25, 2016, the DOJ started the raids, executing coordinated raids in 16 states. They seized 29 financial accounts, 21 fraudulent websites, and approximately 200 computers from laptop farms engaged in North Korean IT operations. North Korean cyber operations as a strategic priority are here to stay.

"a pattern that has increasingly become standard operating procedure" - Andrew Fierman

North Korean IT workers’ stolen crypto disappeared into a web of transactions meant to hide its trail.

"Unfortunately, many teams avoid in-person meetings and prefer hiring more 'cheap' developers than hiring well-known guys in our sector" - Vladimir Sobolev