North Korean developers, operating under the guise of fake freelancers, have reportedly accumulated over $16.5 million this year by infiltrating both cryptocurrency and traditional technology companies. This concerning finding comes from crypto sleuth ZachXBT, who estimates that the compensation paid to these North Korean information technology workers (ITWs) ranges between $3,000 and $8,000 per individual. This suggests a significant number of operatives, potentially between 345 and 920, are actively engaged in these deceptive employment schemes, funneling substantial funds through various digital channels.
US Exchanges Used for Fund Laundering
Contrary to widespread misconceptions that U.S.-based crypto exchanges maintain more stringent Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements compared to their offshore counterparts, ZachXBT’s investigation reveals a different reality. The crypto scam investigator, in an X post detailing the probe’s findings, stated that these North Korean ITWs are increasingly utilizing U.S.-based crypto exchanges, including prominent platforms like Coinbase and Robinhood, to launder their illicitly obtained funds. While MEXC also remains a popular choice for ITWs to launder funds on-chain, this trend highlights a potential blind spot in current compliance frameworks.
Shifting Preferences: Binance Less Appealing
ZachXBT’s analysis also notes a shift in the preferred platforms for these North Korean operatives. While Binance was once their go-to platform for money laundering activities a few years ago, improvements in detection capabilities and increased private industry collaboration have made the crypto exchange significantly less appealing. These advancements, which have led to successful fund seizures, demonstrate the effectiveness of enhanced security measures and coordinated efforts in disrupting illicit financial flows, pushing bad actors to seek new avenues for their schemes.
Earlier Reports Corroborate Infiltration Tactics
The latest findings from ZachXBT’s investigation appear to corroborate earlier reports that suggested North Korean operatives were posing as freelance developers to secure employment within crypto and Web3 firms. A report released in May by DTEX, for instance, claimed that these operatives were systematically funneling cryptocurrency back to North Korea, with the ultimate objective of funding the nation’s military ambitions. This consistent pattern across multiple reports underscores a deliberate and organized strategy by North Korea to exploit the digital economy for its state-sponsored activities.
Traditional Tech Companies Also Targeted
While several reports had primarily alleged that North Korean operatives were focusing their efforts on crypto and Web3 companies, ZachXBT’s six-month investigation revealed a broader scope. His findings indicate that traditional technology companies are also employing North Korean ITWs. ZachXBT further explained why the consequences of such infiltration are even more severe for non-crypto companies: “The downside of fiat is you cannot trace funds back to the company to alert them, whereas when ITWs are paid with crypto it makes all activity on-chain traceable.” This highlights a critical difference in traceability between traditional and crypto payments.
Neobanks and Fintech Facilitate On-Ramping
The investigator also noted that the rise of neobanks and fintech platforms, particularly those with stablecoin integrations, has inadvertently made it easier for North Korean ITWs to convert fiat currency into crypto. This seamless on-ramping capability provides a crucial link in their laundering chain, allowing them to transform traditional earnings into digital assets that can then be moved and obscured more easily across various blockchain networks. This development points to a new challenge for financial institutions and regulators in monitoring cross-sector financial flows.
The “Cheap” Factor and Security Implications
ZachXBT concluded his findings by arguing that a primary reason North Korean operatives are successfully securing employment is simply because they are “cheap.” This cost-effectiveness makes them attractive hires, potentially leading companies to overlook critical security vetting processes. The widespread presence of these ITWs, as revealed by the investigation, poses significant security implications for all companies, regardless of their industry. It underscores the urgent need for enhanced vigilance, robust background checks, and sophisticated detection mechanisms to prevent state-sponsored actors from infiltrating legitimate businesses and exploiting financial systems for illicit purposes.
