Four North Koreans charged in embezzlement scheme
The feds have a big warning after they say foreign agents infiltrated one Atlanta business and stole hundreds of thousands. Agents in the FBI’s Atlanta Field Office announced the indictments of four North Korean men just a little while ago. Now, we’re hearing from one of the alleged victims.
ATLANTA – Federal prosecutors have charged four North Korean nationals in a cryptocurrency embezzlement scheme that targeted companies in Georgia and Serbia, allegedly funneling more than $900,000 in stolen digital assets back to the North Korean regime to support weapons development and evade international sanctions.
A five-count indictment unsealed Monday in the Northern District of Georgia names Kim Kwang Jin, Kang Tae Bok, Jong Pong Ju, and Chang Nam Il as defendants in the case, accusing them of wire fraud and money laundering. The group allegedly posed as remote IT workers using fake and stolen identities to gain employment and access sensitive company systems.
<!–>
“The defendants used fake and stolen personal identities to conceal their North Korean nationality, pose as remote IT workers, and exploit their victims’ trust to steal hundreds of thousands of dollars,” said U.S. Attorney Theodore S. Hertzberg. “This indictment highlights the unique threat North Korea poses to companies that hire remote IT workers.”
–> <!–>
North Korean crypto scheme
–>
What we know:
<!–>
According to federal prosecutors, Kim and Jong were hired by an Atlanta-based blockchain development company and a Serbian virtual token firm in late 2020 and early 2021. Kim allegedly used a stolen identity, while Jong used the alias “Bryan Cho.” On Jong’s recommendation, the Serbian company later hired “Peter Xiao,” who was allegedly Chang Nam Il.
–>
After gaining the companies’ trust, the two operatives were given access to digital assets. In February 2022, Jong allegedly stole about $175,000 in cryptocurrency by transferring it to an address he controlled. The following month, Kim reportedly modified two smart contracts at the Atlanta company, redirecting roughly $740,000 worth of cryptocurrency to another account.
<!–>
To hide the source of the stolen funds, prosecutors say the defendants used the cryptocurrency mixer Tornado Cash—a platform previously sanctioned by the U.S. Treasury—and then transferred the laundered funds into crypto exchange accounts held by Kang and Chang. The accounts were registered under fake names using fraudulent Malaysian identification documents.
–>
The defendants are believed to have traveled to the United Arab Emirates in 2019 on North Korean travel documents and worked there together as a co-located team. None of the victim companies knew they were employing North Korean nationals.
<!–>
FBI targeting DPRK cyber attacks
–>
Big picture view:
<!–>
The FBI and DOJ warned companies, particularly those in the cryptocurrency and tech sectors, to thoroughly vet remote employees. Officials pointed out red flags such as resistance to video calls, frequent address changes, and keyboard settings defaulted to Korean.
–>
This prosecution is part of the DOJ’s DPRK RevGen: Domestic Enabler Initiative, which targets cyber-enabled revenue operations tied to North Korea and their enablers inside the United States.
<!–>
–>
FBI issues hiring warning
<!–>
Local perspective:
–>
In conjunction with the charges, FBI Atlanta issued a public alert on Monday warning businesses—particularly in the tech and cryptocurrency sectors—to tighten hiring practices for remote IT positions.
<!–>
Officials say North Korean operatives are increasingly using artificial intelligence, face-swapping technology, and recycled contact information such as VOIP numbers and emails to disguise their identities during job interviews. Some are reportedly reusing social media profiles and resume content across multiple fraudulent applications.
–>
“If companies that work in this space want to protect themselves, they would be wise to hire Americans and thoroughly vet all potential employees and business partners,” Hertzberg added.
<!–>
FBI guidance recommends steps such as:
–>
- Implementing identity verification at multiple stages of employment
- Avoiding reliance on applicant-submitted background checks
- Reviewing applicant resumes for duplicate content, typos, and foreign terminology
- Verifying social media and communication patterns for inconsistencies
- Geolocating issued devices and blocking administrative access by default
<!–>
U.S. Attorney’s Office files indictment
–>
What they’re saying:
<!–>
“They’ve been charged in a five-count wire fraud and money laundering indictment arising from a remote IT worker embezzlement scheme,” said U.S. Attorney Theodore S. Hertzberg. “The defendants are accused of stealing and laundering at least $900,000 worth of cryptocurrency.”
–>
“This is not just a long con for personal enrichment,” Hertzberg said. “The money stolen doesn’t go to these individuals — it funds weapons programs and other destabilizing efforts of the North Korean regime.”
<!–>
“If companies that work in this space want to protect themselves, they would be wise to hire Americans and thoroughly vet all potential employees and business partners,” Hertzberg said. “Remote workers known only through online chats or video calls may not be who they say they are.”
–>
North Korean cryptocurrency theft case
<!–>
By the numbers:
–>
North Korean Cryptocurrency Theft Case
<!–>
- $915,000+ — Total value of cryptocurrency allegedly stolen$740,000 from an Atlanta-based blockchain startup$175,000 from a Serbian virtual token company
- $740,000 from an Atlanta-based blockchain startup
- $175,000 from a Serbian virtual token company
- Four — North Korean nationals indicted:Kim Kwang JinKang Tae BokJong Pong JuChang Nam Il
- Kim Kwang Jin
- Kang Tae Bok
- Jong Pong Ju
- Chang Nam Il
- Two — Companies targeted:One in Atlanta, GeorgiaOne in Serbia
- One in Atlanta, Georgia
- One in Serbia
- 2019 — Year defendants allegedly traveled to the UAE using North Korean documents
- 2020–2021 — Timeline when defendants were hired by the victim companies under false identities
- 2022 — Year of the alleged thefts
- Five — Counts in the federal indictment (wire fraud and money laundering)
- $5 million — Reward offered by the FBI for information leading to the defendants’ whereabouts
- One — Alias used in each company:”Bryan Cho” (Serbian company)Stolen identity of victim “P.S.” (Atlanta company)
- “Bryan Cho” (Serbian company)
- Stolen identity of victim “P.S.” (Atlanta company)
- One — DOJ initiative under which the case falls: DPRK RevGen: Domestic Enabler Initiativ
–>
What’s next:
<!–>
The FBI has offered a reward of up to $5 million for information leading to the arrest of the four men.
–>
What we don’t know:
<!–>
Their current whereabouts are unknown, and officials say they are likely in North Korea, which does not have an extradition treaty with the U.S.
–>
What you can do:
<!–>
Anyone with information is encouraged to contact the FBI or visit IC3.gov.
–>
The Source: FOX 5’s Rob DiRienzo attended a press conference on Monday held by the FBI to announce the indictments in this case.