In a striking example of cybercrime intersecting with international espionage, four North Korean nationals have been indicted for defrauding an Atlanta-based cryptocurrency startup of nearly $1 million. Announced by the US Department of Justice on July 1, 2025, as part of its DPRK RevGen: Domestic Enabler Initiative, this case highlights the sophisticated tactics used by state-sponsored actors to exploit the rapidly growing cryptocurrency industry. This article explores the details of the scheme, its broader context, other tactics employed by North Korean hackers, and the implications for the crypto sector.
Details of the Scheme
The defendants—Kim Kwang Jin, Kang Tae Bok, Jong Pong Ju, and Chang Nam Il—face charges of wire fraud and money laundering for their roles in a calculated scheme to infiltrate a US-based blockchain startup and a Serbian crypto firm. By using fake and stolen identities, they concealed their North Korean nationality and secured positions as remote IT workers. The names of the affected companies have not been disclosed to protect their identities and ongoing investigations.
“The defendants used fake and stolen personal identities to conceal their North Korean nationality, pose as remote IT workers, and exploit their victims’ trust to steal hundreds of thousands of dollars,” said U.S. Attorney Theodore S. Hertzberg.
Initially operating from the United Arab Emirates, the group coordinated their efforts, using “laptop farms”—networks of computers configured to simulate remote work from US locations—to evade detection. Once embedded, they gained access to critical systems and manipulated smart contracts. In February 2022, Jong Pong Ju stole $175,000, followed by Kim Kwang Jin’s theft of $740,000 in March 2022, achieved by altering smart contract source code. The stolen cryptocurrency was laundered through virtual currency mixers, obscuring the transaction trail, and transferred to accounts controlled by their co-conspirators using fraudulent Malaysian identification documents.
| Incident Details | Description |
| Defendants | Kim Kwang Jin, Kang Tae Bok, Jong Pong Ju, Chang Nam Il |
| Charges | Wire fraud, money laundering |
| Theft Amounts | $175,000 (Feb 2022), $740,000 (Mar 2022) |
| Method | Manipulated smart contract code, used laptop farms |
| Laundering | Virtual currency mixers, fraudulent Malaysian IDs |
Other Tactics Used by North Korean Hackers
This incident is part of a broader strategy by North Korean cyber operatives to target the cryptocurrency sector. Another tactic involves creating fictitious US-based companies to lure developers into downloading malware-laden software through fake job interviews. For example, hackers established entities like Blocknovas LLC and Softglide LLC to distribute malicious software designed to steal sensitive information and grant unauthorized network access. These methods compromise individual developers and threaten entire organizations, exploiting the industry’s reliance on remote talent.
Broader Context of North Korean Crypto Heists
North Korea has increasingly targeted the cryptocurrency industry to fund its regime and weapons programs. A United Nations report indicates that North Korean hackers conducted 58 alleged crypto heists between 2017 and 2023, amassing approximately $3 billion. In 2023 alone, 17 hacks under investigation resulted in $750 million in stolen assets, including high-profile breaches like Atomic Wallet ($120 million) and Poloniex ($114 million).
The Lazarus Group, a notorious North Korean hacking collective, is often behind these operations. Their sophisticated techniques, including ransomware and insider breaches, have made them a significant threat to the global cryptocurrency ecosystem. For instance, the group collaborated with a South Korean company to distribute ransomware, collecting $2.6 million from over 700 victims.
The US has also taken action against these schemes, seizing $7.74 million in cryptocurrency linked to North Korean IT worker operations in June 2025. These funds, laundered through facilitators like Sim Hyon-Sop, highlight the scale of North Korea’s illicit activities in the crypto space.
Impact and Implications for the Crypto Industry
The infiltration of crypto startups by state-sponsored actors reveals critical vulnerabilities in the industry, particularly in remote hiring practices. The crypto sector’s remote-first culture and tendency to hire developers without thorough background checks create opportunities for malicious actors. Andrew Fierman, head of national security at Chainalysis, noted that North Korean IT workers “embed themselves within these organizations to gather intelligence, manipulate security protocols, and even facilitate insider breaches”.
To mitigate these risks, cryptocurrency companies should adopt robust security measures, including:
- Comprehensive Background Checks: Verify identities through video interviews and reference checks.
- Multi-Factor Authentication: Secure access to critical systems.
- Regular Security Audits: Review code, especially smart contracts, for vulnerabilities.
- Employee Training: Educate staff on cybersecurity and social engineering tactics.
- Threat Intelligence Sharing: Collaborate with cybersecurity firms to stay ahead of emerging threats.
Vladimir Sobolev of Hexens emphasized that the industry’s preference for cost-effective developers and avoidance of in-person meetings is a “fundamental issue” that needs addressing.
Conclusion
The indictment of four North Korean nationals for stealing $900,000 from a US crypto startup underscores the persistent threat of state-sponsored cyber operations. As North Korea continues to target the cryptocurrency industry, amassing billions through sophisticated heists, companies must strengthen their defenses. By implementing stricter hiring protocols and enhancing cybersecurity, the industry can protect itself from infiltration and maintain trust in its operations. This case serves as a wake-up call for the crypto sector to address vulnerabilities and safeguard its future.