The Context
In June 2025, the U.S. Department of Justice moved to seize $7.74 million in cryptocurrency linked to a North Korean money laundering network. This was not a simple hack. The funds were generated by a sophisticated scheme where North Korean operatives, using forged identities like “Joshua Palmer,” secured remote IT roles at U.S. firms—including blockchain startups. Their salaries, and proceeds from crypto theft, were laundered through a network of wallets and traders, with over $24 million flowing to a single wallet controlled by Sim Hyon-Sop, a representative of North Korea’s Foreign Trade Bank. This is not just a sanctions breach; it is a systemic failure of corporate due diligence that inadvertently funded a weapons programme.
The Risk
Your company does not need to be in the U.S. to be exposed. Any New Zealand entity with remote workers, contractors, or cryptocurrency dealings could be an unwitting node in this network. Directors may be personally liable if they fail to exercise reasonable care in overseeing financial crime controls. While the U.S. action cites wire fraud and the International Emergency Economic Powers Act, the principle translates directly to New Zealand. A failure to implement adequate customer or employee due diligence could be seen as a breach of your duty under Section 137 of the Companies Act 1993 (to exercise reasonable care, diligence, and skill). More pointedly, if your firm’s payments are traced to sanctions evasion, you face severe reputational contagion, regulatory scrutiny from the FMA, and potential civil asset forfeiture actions that can freeze company funds.
The Control
Treat your remote workforce and crypto transactions as high-risk vectors. Move beyond basic identity checks. For critical roles, especially in tech and finance, implement ongoing verification and monitoring that can detect synthetic identities. Demand that management maps your financial exposure to cryptocurrency—not just as an investment, but as a payment channel. Your compliance programme must be calibrated to detect layered transactions designed to obscure beneficial ownership, a hallmark of this scheme.
The Challenge
These are the critical questions you should be raising at the board table:
|
|
What specific, evidence-based controls do we have to verify that our remote contractors or employees are not using forged identities, and how often is this verification re-checked? |
|
|
If we accept cryptocurrency payments or hold it on our balance sheet, what is our process for tracing the source of funds to ensure we are not receiving the proceeds of crime or sanctions evasion? |
|
|
When was the last time our board received a briefing on the specific financial crime risks presented by our operational model, and what concrete metrics prove our defences are effective? |