DOJ Nails Four North Korean Hackers in $1M Crypto Heist Targeting Blockchain Startup

Feds drop the hammer on Pyongyang's cyber-bandits as crypto's wild west reputation gets another black eye.

The digital heist that embarrassed blockchain 'security'

Four state-sponsored hackers allegedly bypassed firewalls like they were using admin passwords—because they probably were. The $1 million theft exposes the uncomfortable truth: even crypto-native firms still rely on 20th-century opsec.

When 'code is law' meets 'plausible deniability'

The DOJ's indictment reads like a pentester's fever dream—spearphishing, infrastructure hijacking, and good old-fashioned greed. Meanwhile, VCs will keep writing checks to 'decentralized' startups that somehow always need centralized bailouts.

Another day, another crypto firm learning the hard way that anonymity cuts both ways. Maybe try spending less on ping pong tables and more on cybersecurity next time?

TLDR

• Four North Korean nationals posed as remote IT workers at a US blockchain startup and Serbian crypto company, stealing nearly $1 million in cryptocurrency
• The group used fake and stolen identities to secure positions, then exploited smart contracts and privileged access to drain funds in February and March 2022
• Stolen crypto was laundered through mixers and exchanges using fraudulent Malaysian identification documents
• DOJ conducted raids across 16 states, seizing 29 financial accounts, 21 websites, and 200 computers from “laptop farms”
• The scheme is part of North Korea’s broader strategy to fund weapons programs through cryptocurrency theft

Four North Korean nationals have been charged with wire fraud and money laundering after infiltrating a US blockchain startup and stealing nearly $1 million in cryptocurrency. The Department of Justice announced the charges Monday in the Northern District of Georgia.

The defendants – Kim Kwang Jin, Kang Tae Bok, Jong Pong Ju and Chang Nam Il – used fake and stolen identities to conceal their North Korean citizenship. They posed as remote IT developers to gain employment at crypto companies.

The group initially operated from the United Arab Emirates in 2019. They secured jobs at an Atlanta-based blockchain startup and a Serbian VIRTUAL token company between late 2020 and mid-2021.

Prosecutors said Kim and Jong submitted fraudulent documents including stolen and fabricated IDs to secure their positions. US Attorney Theodore S. Hertzberg called this tactic a “unique threat” to businesses hiring remote IT workers.

The defendants exploited their privileged access once hired. In February 2022, Jong stole about $175,000 in cryptocurrency from the companies.

The following month, Kim used the source code of smart contracts to steal $740,000. The total theft reached approximately $915,000 across both incidents.

Sophisticated Money Laundering Operation

The stolen funds were laundered through cryptocurrency mixers to obscure their origin. The money was then sent to exchange accounts controlled by Kang and Chang.

All the exchange accounts were set up using fraudulent Malaysian identification documents. This created a complex web designed to hide the theft from authorities.

The case forms part of the DOJ’s DPRK RevGen: Domestic Enabler Initiative. This program launched in 2024 targets North Korea’s illicit revenue streams and US-based enablers.

Assistant Attorney General John A. Eisenberg said these schemes target US companies and evade sanctions. The stolen funds help finance North Korea’s weapons programs.

Coordinated Law Enforcement Response

Federal agents conducted coordinated raids across 16 states as part of the investigation. They seized almost 30 financial accounts and over 20 fraudulent websites.

Authorities also confiscated about 200 computers from “laptop farms” that enabled North Korean operatives to appear as US-based workers. These farms served as remote access points for the schemes.

The DOJ revealed that North Korean IT workers used stolen identities to gain jobs at over 100 American companies. The workers funneled millions of dollars to Pyongyang and accessed sensitive military data.

Andrew Fierman from blockchain analytics firm Chainalysis described how these agents “embed themselves within organizations” to gather intelligence and facilitate breaches. The threat actors use falsified documentation to mask their North Korean connections.

Last month, the DOJ filed a civil forfeiture complaint to seize $7.74 million in crypto allegedly earned by North Korean IT workers posing as remote blockchain contractors using fake identities.