TRM Labs analyzed the DOJ forfeiture action targeting more than $7.7 million in cryptocurrency, NFTs, and digital assets allegedly tied to a North Korean IT worker laundering network. The activity involved DPRK nationals deployed abroad, mainly in China, Russia, and the UAE, using forged identities, VPNs, stolen or false documents, and remote developer roles at technology, blockchain, and DeFi companies. Payments in USDC, USDT, and other assets were routed through self-custodied wallets, centralized exchanges, alternate chains, privacy-enhancing methods, OTC brokers, and consolidation addresses before reaching DPRK-linked entities. Key figures described include Sim Hyon Sop of North Korea's Foreign Trade Bank and Kim Sang Man of Chinyong, with wallet and account artifacts such as Korean-language devices, Russia and UAE logins, and reused devices helping investigators connect fake personas. TRM frames the case as part of North Korea's broader crypto revenue playbook, where fake IT work increasingly complements large-scale Lazarus-linked thefts such as exchange hacks.