Two federal indictments were unsealed today in the District of Columbia charging a North Korean Foreign Trade Bank (FTB) representative for his role in separate money laundering conspiracies designed to generate revenue for the Democratic People’s Republic of Korea through the use of cryptocurrency.

“The charges announced today respond to innovative attempts by North Korean operatives to evade sanctions by exploiting the technological features of virtual assets to facilitate payments and profits, and targeting virtual currency companies for theft,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “We will continue to work to disrupt and deter North Korean actors and those who aid them by following the money on the blockchain and shining a light on their conduct.”

According to court documents, Sim Hyon Sop (Sim), 39, is charged with allegedly conspiring with over-the-counter (OTC) cryptocurrency traders to use stolen funds to buy goods for North Korea and for conspiring with North Korean IT workers to generate revenue through illegal employment at blockchain development companies in the United States.

The first indictment involves a conspiracy between Sim and three OTC traders to launder stolen funds from virtual currency exchange hacks to make payments in U.S. dollars for goods on behalf of the North Korean government. The second involves a conspiracy between Sim and various North Korean IT workers to launder proceeds of illegal IT development work, where the IT workers gained employment at U.S. blockchain development companies using fake identities, and then laundered their ill-gotten gains through Sim for the benefit of the North Korean regime, and in contravention of sanctions imposed against North Korea by the Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the United Nations. Those sanctions were imposed to impede the development of North Korea’s ballistic missiles, weapons production, and research and development programs.

“Today’s indictments reveal North Korea’s continued use of various means to circumvent U.S. sanctions,” said U.S. Attorney Matthew M. Graves for the District of Columbia. “We can and will ‘follow the money,’ be it through cryptocurrency or the traditional banking system, to bring appropriate charges against those who would help to fund this corrupt regime.” 

According to court documents, North Korean national Sim, Chinese national Wu Huihu (Wu), Hong Kong British National (Overseas) Cheng Hung Man (Cheng), and the user of the online moniker live:jammychen0150 (“Jammy Chen”) conspired to launder stolen cryptocurrency and then used those funds to purchase goods through Hong Kong-based front companies on behalf of North Korea. Sim directed these payments, which were made in U.S. dollars, through “Jammy Chen.” “Jammy Chen” then recruited Wu and Cheng, both of whom were OTC traders, to find sham front companies and facilitate the payments to avoid U.S. sanctions against North Korea.

“As criminals engage in new methods of exploiting and laundering cryptocurrency, the FBI will continue to relentlessly pursue them and bring them to justice,” said Assistant Director Luis Quesada of the FBI’s Criminal Investigative Division. “These individuals used their illicit criminal activity to aid the Democratic People’s Republic of Korea. Today’s indictment demonstrates the power of strong investigative work and collaboration amongst partners in holding state operatives accountable.” 

Buy Me a Coffee

Sim also allegedly conspired to launder funds generated by North Korean IT workers who obtained illegal employment in the tech and crypto industry. These IT workers used fake personas to get jobs, including jobs at U.S.-based companies, and then asked to be paid in cryptocurrencies, such as stablecoins like USD Tether (USDT) and USD Coin (USDC), which are pegged to the U.S. dollar. After receiving payment, they funneled their earnings back to North Korea through Sim.

According to court documents, the Reconnaissance General Bureau (RGB) is North Korea’s primary intelligence and clandestine operations unit, known to have a cyber capability that has come to be known within the cybersecurity community as both Lazarus Group and Advanced Persistent Threat 38 (APT38). APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive cyber-attacks since at least 2014 to generate revenue for its ballistic missile and WMD programs. Specifically, these North Korean hackers have worked in concert to conduct cyber-attacks against victims located in the United States and around the world, including hacks against financial institutions and virtual asset service providers. North Korean actors have gained unauthorized access to these victim networks as part of their fraudulent scheme through a variety of means, including through spear-phishing messages designed to induce victims to download and execute malicious software developed by the hackers.  

Since 2017, as part of its cyber campaign, North Korean hackers have also executed virtual currency-related thefts to generate revenue for the regime, including through the hacking of virtual asset services providers, such as virtual currency exchanges. A portion of the proceeds from those virtual currency theft and fraud schemes was sent to virtual currency address 1G3Qj4Y4trA8S64zHFsaD5GtiSwX19qwFv, which Sim and his OTC trader coconspirators used to fund payments for goods for North Korea.

To generate revenue for the regime, North Korea also deploys IT workers to obtain illegal employment in the cryptocurrency industry. According to court documents, North Koreans apply for jobs in remote IT development work without disclosing that they are North Korean. These IT workers bypass security and due diligence checks through the false or fraudulent use of identity documents and other obfuscation strategies, such as virtual private networks to hide their true location from online payment facilitators and hiring platforms. The IT workers request payment for their services in virtual currency and then send their earnings back to North Korea via, among other methods, FTB representatives such as Sim.

A third indictment also unsealed today in the District of Columbia separately charges Wu with operating an unlicensed money transmitting business. According to court documents, Wu operated as an OTC trader on a U.S.-based virtual currency exchange and conducted over 1,500 trades for U.S. customers without obtaining the necessary licenses.

The FBI Chicago Field Office and FBI’s Virtual Assets Unit (VAU) are investigating the cases.