*🔐 U.S. Seizes $7.74M in Crypto from North Korea’s Global Fake IT Worker Network: AI, Deep Fakes, and Laptop Farms Fuel Espionage Empire* In a dramatic crackdown on a sprawling North Korean cybercrime empire, the U.S. Department of Justice (DoJ) has seized over $7.74 million in cryptocurrency, NFTs, and digital assets tied to an elaborate fake IT worker scheme used to fund Pyongyang’s weapons program and dodge sanctions. For years, North Korean operatives have quietly embedded fake tech workers into U.S. crypto firms, laundering money through a covert digital network stretching across Russia, China, Laos, the UAE, and beyond. Armed with stolen identities, AI tools like ChatGPT, and fake LinkedIn profiles, these rogue freelancers slipped past due diligence checks, landed remote jobs, and funneled millions in earnings back to the regime. > “North Korea has weaponized remote work,” said Sue J. Bai of the DoJ’s National Security Division. “They’re using our own infrastructure to bankroll their missile programs.” *💻 Behind the Screen: Fake Jobs, Real Damage* Known to cybersecurity experts as Wagemole and UNC5267, the operation dates back to 2017 and has evolved into a state-sponsored cybercrime syndicate. The workers fall into two categories: R-ITWs (Revenue IT Workers): Focused on generating income for the regime. M-ITWs (Malicious IT Workers): Plant backdoors, sabotage crypto systems, or steal IP. To operate, North Korean agents recruited laptop farm facilitators around the globe. One of them, Christina Marie Chapman—a TikTok influencer and former massage therapist—was lured into the scheme via a LinkedIn message. She pled guilty earlier this year and will be sentenced in July. *🌐 A Global Cyberweb of Deceit* Investigators traced over $24 million in crypto flowing through wallets controlled by Sim Hyon-Sop, a Foreign Trade Bank official based in Dubai, and Kim Sang Man, head of a front company called Chinyong, operating under forged Russian identities out of Russia and the UAE. Their laundering operation featured: Laptop farms to mimic U.S.-based remote workers BYOD (Bring Your Own Device) abuse to infiltrate company systems Zoom exploits and stealthy C2 channels using ARP packets and WebSockets Fake domains and malware to steal references and credentials One compromised host was found in Lahore, Pakistan, with browser history exposing translations for fake job references and shipping tech gear across borders. *From Freelance Fraud to Corporate Espionage* Security firm DTEX warns that the operation is growing bolder—shifting from contract work to direct attacks. In some cases, malware-laced campaigns like "Contagious Interview" (aka Gwisin Gang) bypass hiring altogether, hacking into accounts of already-employed developers to gain access. > “These actors don’t just write code—they write deception at scale,” said Matt Ryan, cybersecurity researcher. *What’s Next? Target: Traditional Finance* Experts warn that with traditional banks adopting Web3 and blockchain tech, DPRK’s cyber-ops may soon set their sights on the financial sector. The era of silent infiltration isn’t over—it's just getting smarter.