CRYPTO LAUNDERING: How Tech Salaries Fund North Korea’s Weapons Programs

North Korea’s government-backed IT workers are quietly infiltrating global tech firms and contractor platforms, earning steady crypto salaries that are laundered through a sprawling network of intermediaries to fund the regime’s weapons programs, according to new analysis from Chainalysis.

The report says DPRK workers, often placed abroad by the sanctioned Chinyong (Jinyong) IT Cooperation Company, use VPNs, forged or stolen IDs, and even AI-generated voices and faces to pass remote-hiring checks. On-chain patterns show “salary-like” payments, frequently around $5,000 at near-monthly intervals and often requested in stablecoins favored by OTC brokers, the company said. 

Once paid, funds are pushed through decentralized exchanges, cross-chain bridges, and mainstream exchanges to break audit trails before consolidation with other illicit proceeds. U.S. and allied enforcement actions cited by Chainalysis include OFAC designations targeting facilitators such as Sim Hyon Sop of KKBC and the Chinese OTC trader Lu Huaying.

The report urges firms to conduct checks specific to identifying potential DPRK IT workers, including by identifying such red flags as “IP locations that don’t match stated locations, manipulated identification documents, and reluctance to participate in video calls or use of AI-generated profiles.”

Financial red flags include preferences for stablecoin payments, requests to split payments across multiple wallets, and complex third-party payment arrangements, according to the report. 

“Be particularly alert to candidates offering advanced technical skills at below-market rates,” Chainalysis said. 

Read the Chainalysis report here