FBI issues wanted notice for alleged North Korean remote IT workers accused of $900,000 crypto theft — $5 million reward up for grabs for information on DPRK-linked suspects

The FBI has published a public wanted notice naming four individuals accused of operating as fraudulent remote IT workers on behalf of the Democratic People’s Republic of Korea (North Korea), tying the group to identity theft, wire fraud, and the alleged theft of more than $900,000 in virtual currency from U.S. companies. The FBI has issued a $5 million reward for information "that leads to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea."

According to the FBI, arrest warrants were issued on June 24, 2025, in the Northern District of Georgia. Prosecutors allege the defendants used stolen or falsified identities to obtain remote software engineering and IT roles, then abused their access to company systems and digital wallets during 2022. The bureau says the stolen funds were subsequently laundered through cryptocurrency transactions.

The FBI’s wanted notice lists aliases, dates of birth, language abilities, and travel links to countries including the United Arab Emirates and Laos, describing how the accused allegedly presented themselves as legitimate remote workers while operating on behalf of the DPRK.

Earlier this year, the U.S. Department of Justice, in a related operation, said that they searched 29 suspected “laptop farm” locations across 16 states, seizing dozens of financial accounts and websites used to support the scheme. Investigators described laptop farms as physical locations in the U.S. where company-issued systems are delivered, powered on, and connected to corporate networks, allowing overseas workers to control them while appearing to be domestic.

In 2022, the FBI said that North Korea "has dispatched thousands of highly skilled IT workers around the world" who "in many cases misrepresent themselves as foreign (non-North Korean) or U.S.-based teleworkers, including by using virtual private networks (VPNs), virtual private servers (VPSs), purchased third-country IP addresses, proxy accounts, and falsified or stolen identification documents" in a bid to evade detection for as long as possible.

It’s not difficult to see why crypto-linked companies are frequent targets. Access to internal repositories, signing keys, and wallets can be far more valuable than traditional payroll fraud, particularly when attackers maintain long-term access under the guise of legitimate employment. By issuing a public wanted notice, the FBI is piling pressure on both the operators and the support networks that make the schemes viable.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.