US authorities and blockchain intelligence firms are increasing efforts to curb illicit cryptocurrency activity tied to state-backed actors. In two separate but thematically linked developments, the Department of Justice moved to seize $7.74 million linked to North Korean IT operatives using false identities to infiltrate crypto firms, while AML platform Global Ledger reported that over $15 million in reserves tied to the sanctioned Russian exchange Garantex remains active.
US DOJ Moves to Seize $7.74M in Crypto Earned by North Korean IT Workers Using Fake Identities
The United States Department of Justice (DOJ) has initiated civil forfeiture proceedings to seize over $7.74 million in cryptocurrency assets allegedly obtained by North Korean IT operatives who infiltrated the global blockchain industry using false identities. The seized assets—held across multiple self-custody wallets and Binance accounts—include Bitcoin (BTC), stablecoins like USDC and USDT, non-fungible tokens (NFTs), and Ethereum Name Service (ENS) domains.
The move follows a broader indictment from April 2023 against Sim Hyon Sop, a China-based financier accused of laundering funds for the North Korean government. In a statement released on June 5, the DOJ confirmed that the assets had initially been frozen during that 2023 action but were now subject to permanent seizure due to their connection to sanctioned North Korean entities.
According to the DOJ’s civil complaint filed in federal court in Washington, D.C., the scheme involved North Korean IT professionals obtaining remote work contracts with blockchain and cryptocurrency firms, primarily in Western markets. These operatives used forged or stolen identification documents to masquerade as legitimate freelancers and developers, often working for months undetected.
Once paid, the IT workers allegedly converted their salaries into stablecoins like USD Coin (USDC) and Tether (USDT), and used advanced laundering tactics to obfuscate the origin of the funds. These included “chain-hopping,” moving assets across multiple blockchain networks, and converting funds into NFTs, an increasingly common tactic in illicit crypto transactions.
The ultimate goal, according to the DOJ, was to funnel the laundered proceeds back to the North Korean regime through Sim and another sanctioned operative, Kim Sang Man, who has been previously blacklisted by the US Treasury’s Office of Foreign Assets Control (OFAC) for his role in facilitating illicit financing.
DOJ and National Security Leaders Sound the Alarm
The Department of Justice has increasingly prioritized countering cyber and financial crimes tied to nation-state actors, particularly those from North Korea, Iran, and Russia. This case adds another layer of complexity, showing that cyber-enabled threats now extend into labor markets through freelance and remote job networks.
The case is the latest in a series of revelations detailing North Korea’s strategic pivot to cryptocurrency and blockchain technology as an alternative financing channel amid crippling international sanctions.
In April, Google’s Threat Intelligence Group released a report showing that North Korean hacking and infiltration activities have expanded to blockchain companies outside the US, with a growing focus on firms in Europe. The report cited increased regulatory enforcement in the United States as the reason for this geographic shift.
Blockchain investigator ZachXBT previously reported in August 2024 that some North Korean-linked developers had embedded themselves in legitimate projects, earning up to $500,000 per month. Many of these developers were allegedly operating under Western aliases and providing smart contract development, auditing, and DeFi services to unsuspecting clients.
Growing Industry Awareness, but Gaps Remain
In response to the rising threat, the DOJ, the Department of State, and the US Treasury issued a joint advisory in 2022 warning tech firms—especially in the cryptocurrency sector—about the infiltration risk posed by North Korean IT workers.
The advisory recommended enhanced KYC (Know Your Customer) and background verification for remote workers, emphasizing that blockchain companies are prime targets due to their often decentralized hiring practices and frequent use of anonymous work platforms.
Despite these warnings, enforcement remains difficult. Many of the North Korean operatives reportedly use sophisticated anonymization tools, hire third-party intermediaries to pass job interviews, and use AI-generated documentation to build credible online personas.
$15 Million in Garantex Reserves Still Active, AML Firm Warns of Sanctions Weakness
Meanwhile, according to a new report published by Global Ledger, dormant crypto wallets associated with Garantex have resumed activity in recent months. The company’s Ethereum wallet, once inactive, began accumulating Ether (ETH) on March 6, and later funneled $2.3 million worth of the token through Tornado Cash—an Ethereum-based mixer sanctioned by the US Treasury in 2022 for enabling illicit finance.
That same Ethereum wallet still holds approximately $6.1 million in ETH, which remains unmoved for now. In parallel, Bitcoin (BTC) reserves connected to Garantex also show suspicious movement. At least 2.2 BTC was bridged over to the TRON network and partially transferred to another platform, Grinex, according to Global Ledger’s on-chain analysis.
Garantex ETH flows (Source: Global Ledger)
Lex Fisun, CEO and co-founder of Global Ledger, described the case as a wake-up call for regulators and a glaring example of how sanction enforcement continues to fall short in the decentralized financial ecosystem.
“The Garantex case undermines the illusion of control that many still cling to,” Fisun said in an interview. “$15 million moving freely through obscure chains and mixers isn’t a failure of law — it’s a failure of sanction enforcement.”
Fisun’s criticism shows the core dilemma faced by governments and regulatory bodies attempting to police blockchain networks, where assets can often be rapidly shuffled, bridged across chains, or disguised through privacy-enhancing tools like mixers or synthetic swaps.
Tether’s Role and Garantex's Shutdown
The renewed attention on Garantex began on March 6, when Tether Ltd., issuer of the stablecoin USDT, froze $27 million worth of tokens held in the exchange’s wallets. The same day, Garantex abruptly halted its operations, accusing Tether of waging “war against the Russian crypto market.”
At the time, Garantex claimed its frozen wallets contained more than 2.5 billion rubles—approximately equivalent to the frozen $27 million USDt. While this action represented one of the most aggressive enforcement steps taken by a stablecoin issuer, it also prompted backlash from Russia and sparked a broader debate about the geopolitics of financial infrastructure in the digital age.
Garantex has faced mounting legal scrutiny since being sanctioned by the US Treasury’s Office of Foreign Assets Control (OFAC) in April 2022. OFAC accused the exchange of willfully disregarding Anti-Money Laundering (AML) protocols and facilitating illicit transactions, including those linked to ransomware and darknet markets.
The European Union followed suit, adding Garantex to its own sanctions list on Feb. 24, 2025—coinciding with the anniversary of Russia’s full-scale invasion of Ukraine.
Adding to the legal firestorm, Garantex’s founder, Aleksej Bešciokov, was arrested on March 12 while vacationing with his family in India. The US has reportedly filed multiple conspiracy charges against him, including conspiracy to commit money laundering, and is seeking his extradition. If extradited, Bešciokov could become the highest-profile crypto executive from Russia to stand trial in the US for sanctions violations.
Russia Eyes Stablecoin Alternatives
In response to Tether’s clampdown, Russian officials are ramping up efforts to reduce reliance on foreign-controlled stablecoins. On April 17, Russian finance ministry official Osman Kabaloev remarked that recent developments had revealed the geopolitical risk of stablecoins like USDT.
“We do not impose restrictions on the use of stablecoins within the experimental legal regime,” Kabaloev told state-owned media outlet TASS. “But recent developments have shown that this instrument can pose risks for us.”
Just a week later, on April 24, Russia’s Ministry of Finance and Central Bank announced joint plans to launch a new digital asset exchange, one that would cater to what they call “super-qualified” investors. While details remain sparse, the move indicates Moscow’s desire to build financial infrastructure less susceptible to foreign control.
The ongoing Garantex affair illustrates the growing limitations of traditional sanctions in the digital asset space. While financial blacklists and token freezes can offer short-term wins, crypto’s decentralized architecture allows for creative circumvention. Techniques like chain-hopping, privacy coin utilization, and bridging to obscure blockchains such as TRON continue to present massive enforcement challenges.
Global Ledger’s findings serve as a stark reminder that sanctioning an exchange is not the same as neutralizing its reserves. Without real-time surveillance, stronger cross-jurisdictional collaboration, and technological enforcement tools, illicit funds may continue slipping through the cracks.
The case also places new pressure on major players in the crypto infrastructure space—from centralized exchanges to stablecoin issuers—to adopt more aggressive compliance frameworks and enhance transparency when it comes to enforcement cooperation.
