News

How North Korean IT Workers Stole Nearly $1M in Crypto by Infiltrating Blockchain Startups

Four North Korean nationals, posing as remote IT developers with fake identities, stole nearly $1M in crypto from U.S. and Serbian blockchain startups, laundering funds via Tornado Cash to support DPRK’s weapons programs.

Author : Jim Haastrup

Key Insights

  • The U.S. Department of Justice has charged four North Korean nationals with wire fraud and money laundering.

  • The accused reportedly stole nearly $1 million in crypto from blockchain startups by posing as remote IT developers.

  • These individuals secured remote jobs at companies in Atlanta, Georgia, and Serbia and directly stole cryptocurrencies like Ether, Elixir and Matic.

  • The incident shows just how big a threat North Korean hackers are to the crypto space.

The U.S. Department of Justice (DOJ) has charged four North Korean nationals with wire fraud and money laundering. 

According to reports, the defendants allegedly posed as remote blockchain developers for remote U.S. and Serbian startups before using their employee access to steal nearly $1 million worth of crypto.

Interestingly, authorities also say that the stolen funds were funneled back to North Korea to support its nuclear weapons and ballistic missile programs.

Here’s how the hacking scheme played out.

Fake Identities and Remote Jobs

The four men, Kim Kwang Jin, Kang Tae Bok, Jong Pong Ju and Chang Nam Il, are accused of using stolen identities to pose as remote IT developers. 

They operated out of the United Arab Emirates as early as 2019 and eventually secured employment with two blockchain-focused companies.

Four North Korean individuals charged | Source: Twitter

One of these was based in Atlanta, Georgia and the other in Serbia.

Kim and Jong allegedly submitted documents featuring real birthdates and government ID numbers during the job applications but swapped in their own photos. 

These tactics allowed them to gain access to the companies’ internal systems like smart contract source code and crypto wallets.

How the Crypto Theft Happened?

Once inside, the hackers didn't wait long to act.

In February 2022, Jong reportedly transferred around 60 Ether (worth approximately $175,000 at the time) to a wallet he controlled.

In March 2022, Kim manipulated some more smart contract code and drained about $740,000 worth of digital tokens like Elixir, Matic and Start tokens.

They didn’t act alone either. 

The team used Tornado Cash to launder the stolen assets. The mixed funds were then moved into wallets controlled by Kang and Chang, both of whom had opened accounts under fake Malaysian identities.

Inside the “Laptop Farm” Network

This case is just one part of a much larger DOJ investigation known as DPRK RevGen: Domestic Enabler Initiative against North Korea’s revenue-generating hacks.

U.S. authorities also recently discovered a network of “laptop farms” across 16 states, where physical computers were hosted in American homes and controlled remotely by North Koreans abroad. 

These laptops were shipped by companies who thought they were hiring legitimate U.S.-based IT professionals.

According to prosecutors, these North Korean hackers had an accomplice named Zhenxing “Danny” Wang.

Wang was a New Jersey resident who helped run one such farm. 

He reportedly founded a front company called Independent Lab, which received and managed laptops meant for “supposed” employees, and allowed North Korean workers access to these machines.

Fake Names, Real Access

The indictment shows just how deeply North Korean operatives embedded themselves into the companies they hacked.

Kim, for example, used a stolen Portuguese ID to secure a position at the Atlanta company and modified the source code of two smart contracts.

Moreover, when confronted by the company founder via Telegram, Kim (still using his stolen alias ) denied the theft, saying, “How many times do I need to tell you??? I didn’t do it!!! It’s not me!!!”

In a separate case, Jong posed as “Bryan Cho” to gain employment at another blockchain company.
He later recommended Chang, under the alias “Peter Xiao” for hire.

After Jong gained access to the firm’s wallets, worth about $175,000. When asked about the missing funds, he claimed to have “accidently dropped the private key into the .env sample file.”

The Laundering Operations

After the thefts, the team used crypto mixers like Tornado Cash to hide the trail of stolen assets.

Kang, under the alias Wong Shao Onn, opened an exchange account using a doctored Malaysian ID.
Chang used a similar fake identity, “Bong Chee Shen,” to open another account.

After the assets were mixed, they were withdrawn into these accounts and completely hidden from the view of investors..

Overall, the DoJ’s indictments and law enforcement actions serve as a wake up call for everyone involved with crypto.

North Korea is actively targeting blockchain firms, exploiting remote work culture and using fake identities to steal and launder crypto.

The crypto community must raise its security standards and remain alert to this threat at all times.

Disclaimer: Voice of Crypto aims to deliver accurate and up-to-date information, but it will not be responsible for any missing facts or inaccurate information. Cryptocurrencies are highly volatile financial assets, so research and make your own financial decisions.