North Korean IT network: arrests and millions confiscated

North Korean IT network: arrests and millions confiscated

On June 30, 2025, the US Department of Justice (DOJ) and the FBI announced significant progress in the fight against North Korean cybercrime. In a sweeping operation, arrests and charges have been announced in connection with an international network of North Korean IT workers that infiltrated over 100 U.S. companies to steal money and sensitive information. These workers used the compromised identities of more than 80 US citizens.

The actions taken in this operation resulted in significant legal fees and costs totaling over $3 million. Among the stolen assets is a sum of at least $900,000 in cryptocurrencies taken from a company in Georgia. In addition, data and source code, including confidential information under the International Traffic in Arms Regulations (ITAR), was stolen from a California defense contractor.

Arrests and charges in detail

The operation included not only one arrest, but also two formal indictments and searches at over two dozen U.S. locations. During these searches, numerous laptops, financial accounts and websites were seized. Zhenxing “Danny” Wang and Kejia Wang, both U.S. citizens, are the main defendants; While Zhenxing Wang was arrested in New Jersey, Kejia Wang remains at large. Both men are said to have cooperated with four other US intermediaries to obtain laptops and set up fake companies, for which they received almost $700,000.

These measures are part of a larger strategy by US authorities aimed at dismantling a global network of IT workers operated by North Korea. Loud IT Boltwise In this context, cryptocurrencies worth over 7.74 million US dollars were confiscated. These digital currencies were allegedly used to circumvent sanctions and finance North Korean weapons programs.

A network of cyber criminals

The background of the operation dates back to 2017, when North Korea began smuggling IT workers into the USA under false identities. These workers used stolen or fictitious identities to gain access to sensitive information and financial resources. A key aspect of these networks is the ability to use AI tools like OpenAI ChatGPT to bypass security checks.

Particular attention was drawn to Sim Hyon-Sop, a representative of North Korea's Foreign Trade Bank, who is accused of laundering illegally acquired funds. Between August 2021 and March 2023, he received over $24 million in cryptocurrencies, which were used for the network's activities.

North Korean IT workers are divided into two categories: Revenue IT Workers (R-ITW), who aim to secure revenue, and Malicious IT Workers (M-ITW), who specifically harm companies. To effectively combat the activities of these groups, new approaches that go beyond traditional security indicators are necessary. Experts also warn about the potential use of blockchain and Web3 technologies by North Korean cyber actors to expand their criminal activities.