OFAC Sanctions on North Korean Crypto Networks: How the U.S. Is Stopping $2.1 Billion in Cyber Theft

Dimerson White

17/09

North Korea isn’t just building missiles - it’s building crypto heists. In 2025 alone, U.S. intelligence and financial watchdogs tracked over $2.1 billion in cryptocurrency stolen by North Korean cyber units, much of it funneled directly into weapons programs banned by international law. The Office of Foreign Assets Control (OFAC), part of the U.S. Treasury, has responded with the most aggressive sanctions campaign against crypto-linked North Korean operations in history. This isn’t just about freezing wallets. It’s about dismantling entire networks of fake IT workers, shell companies, and money mules hiding in plain sight inside American tech firms.

How North Korea Uses Fake IT Workers to Steal Crypto

Picture this: a remote software developer in a U.S. startup, working from home, using a GitHub profile that looks legitimate. Their name? Joshua Palmer. Their resume? Clean. Their code? Solid. But Joshua Palmer doesn’t exist. He’s a fabricated identity, built from stolen documents and reused across dozens of operations. This is how North Korea infiltrates crypto companies - not with hackers breaking in through firewalls, but with people hired on Upwork, Freelancer, or RemoteHub, posing as skilled contractors.

These workers aren’t just writing code. They’re scouting. They’re mapping internal systems, stealing API keys, copying wallet addresses, and planting backdoors. Once they’ve gathered enough intel, they trigger ransomware attacks or quietly siphon off stablecoins like USDC and ETH. The money moves through a chain of self-hosted wallets, then gets converted to cash via over-the-counter (OTC) brokers - some of which OFAC has already sanctioned. One North Korean operative, Kim Ung Sun, alone moved nearly $600,000 in crypto-to-cash conversions, according to U.S. court filings.

The names of these threat groups aren’t random. Security researchers call them Famous Chollima, Jasper Sleet, UNC5267, and Wagemole. These aren’t hackers in a basement. They’re state-run units under the Workers’ Party of Korea, operating with military precision. Their targets? Startups and Web3 firms that hire remotely, don’t do deep background checks, and assume a resume and a Zoom call are enough.

The Sanctions That Hit Hard in 2025

On August 27, 2025, OFAC dropped its biggest blow yet. It sanctioned Russian national Vitaliy Sergeyevich Andreyev, North Korean citizen Kim Ung Sun, and two companies: Shenyang Geumpungri Network Technology Co., Ltd and Korea Sinjin Trading Corporation. These weren’t random names. They were linchpins in the global money pipeline.

Andreyev, based in Russia, helped move funds through Russian banks and crypto exchanges that ignored sanctions. Kim Ung Sun coordinated the cash-out operations, turning digital assets into physical U.S. dollars through intermediaries in China and the UAE. The two companies? Fronts. They appeared as legitimate IT outsourcing firms but were, in reality, recruitment hubs for North Korean operatives.

This wasn’t a one-off. OFAC had already targeted entities on July 8 and July 24, 2025. And before that, in May 2023, they hit Chinyong Information Technology Cooperation Company - one of the first major cases exposing how North Korea uses fake IT firms to hide its operations. Now, the list has grown to include Korea Sobaeksu Trading Company and individuals like Kim Se Un, Jo Kyong Hun, and Myong Chol Min, all tied to sanctions evasion.

The Department of Justice didn’t stop at sanctions. In June 2025, they filed a civil forfeiture complaint seeking over $7.7 million in seized digital assets - including ETH, USDC, and even high-value NFTs. These weren’t random wallets. They were traced back to specific fake identities used by North Korean workers embedded in crypto startups. One wallet, linked to the alias “Alex Hong,” had received over $1.2 million in stablecoin payments from U.S. employers.

How the Money Flows - From Code to Cash

The laundering process is chillingly simple:

A North Korean operative gets hired as a remote developer under a fake identity.
They gain access to company systems, crypto wallets, or payroll integrations.
They start receiving payments in USDC or other stablecoins - often in exchange for “freelance work” that never happened.
The funds move into a series of intermediate wallets, each transferring small amounts to avoid detection.
They’re routed through exchanges in jurisdictions with weak AML rules - Russia, UAE, Laos, or China.
Final conversion to cash happens through sanctioned OTC brokers, who then deliver physical dollars to North Korean operatives.

TRM Labs, a blockchain analytics firm, found that 87% of these transactions used the same wallet patterns - a digital fingerprint. Even when names changed, the behavior didn’t. The same addresses kept popping up. The same IP clusters. The same fake GitHub profiles with identical commit histories.

And it’s working. Since 2021, these schemes have generated over $1 million per year in revenue for the DPRK - money that goes straight to their nuclear program. The U.S. Treasury estimates that nearly 40% of North Korea’s weapons funding now comes from crypto theft.

Crypto startup remote worker secretly siphoning funds to international sanctions-evading nodes.

Who’s Really at Risk?

You might think this only affects big exchanges or government agencies. It doesn’t. The real vulnerability is small and mid-sized crypto startups. They’re hiring fast. They’re remote-first. They’re not doing background checks on contractors from “Southeast Asia” or “Eastern Europe.”

A single hired developer with a fake identity can steal thousands in crypto, access internal APIs, and even leak private keys. Some companies didn’t even realize they’d been compromised until they saw a $500,000 USDC transfer out of their treasury wallet - to an address later tied to Kim Sang Man, a previously sanctioned DPRK operative.

Even worse, some of these workers aren’t just stealing. They’re holding systems for ransom. One U.S.-based Web3 firm had its entire codebase encrypted after a contractor “accidentally” deleted a backup. The ransom demand? 15 ETH. Paid in Bitcoin. The contractor vanished the next day.

The Global Web Behind the Theft

This isn’t a North Korean problem. It’s a global failure.

The networks rely on Russia for banking access, the UAE for crypto liquidity, China for fake ID production, and Southeast Asia for physical cash delivery. OFAC has sanctioned Russian banks, UAE-based exchanges, and even a Chinese company that printed fake work permits for North Korean operatives. But the system keeps adapting.

The FBI, Homeland Security, and State Department are now working with Japan and South Korea on joint intelligence sharing. In August 2025, all three countries issued a joint statement warning tech firms: “If you hire a remote worker from North Korea, even indirectly, you’re enabling a weapons program.”

It’s not enough to screen for country of origin. You have to screen for behavior. Are they using the same email pattern across platforms? Do their GitHub contributions look cloned? Are they pushing code only at odd hours? Are they asking for payment in stablecoins but refusing to use verified wallets?

Global network linking North Korea to sanctioned countries via crypto theft, with a U.S. developer unknowingly involved.

What Companies Must Do Now

If you run a crypto startup or hire remote developers, here’s what you need to do - today:

Verify every contractor’s identity using third-party background checks - not just LinkedIn or a resume.
Block payments to crypto wallets not tied to verified KYC exchanges.
Use blockchain monitoring tools (like TRM Labs or Chainalysis) to flag transactions linked to sanctioned addresses.
Require two-factor authentication on all internal crypto wallets - and never give contractors direct access.
Check OFAC’s SDN list monthly. It’s updated constantly. A contractor who was clean last month could be sanctioned tomorrow.

Don’t assume a good interview means a safe hire. The best operatives are the ones who don’t look suspicious at all.

What’s Next?

OFAC isn’t done. As of October 2025, investigations are still expanding into networks operating in Laos, Mongolia, and Belarus. More designations are expected before the end of the year. The U.S. is also pushing international allies to shut down OTC brokers that knowingly process DPRK-linked crypto.

Meanwhile, North Korea is shifting tactics. They’re now using decentralized exchanges (DEXs) more heavily, trying to bypass centralized platforms. They’re experimenting with privacy coins like Monero. And they’re recruiting former crypto developers from defunct startups - people with real skills who don’t know they’re working for a regime that builds nuclear warheads.

The war isn’t on the battlefield. It’s in the code. And the stakes? Billions. And lives.

Are OFAC sanctions on North Korean crypto networks still active in 2025?

Yes. OFAC’s sanctions on North Korean crypto networks are not only active but have intensified in 2025. Multiple new designations were made between July and August 2025, targeting individuals, front companies, and financial facilitators linked to over $2.1 billion in stolen cryptocurrency. The U.S. Treasury continues to update the Specially Designated Nationals (SDN) list monthly with new entities tied to DPRK cyber operations.

How do North Korean hackers steal crypto through remote jobs?

North Korean operatives use fake identities to get hired as remote developers at U.S. crypto startups. Once inside, they access internal systems, steal API keys, and siphon crypto from company wallets. They often pose as freelancers on platforms like Freelancer or RemoteHub, using stolen documents and reused profiles. After collecting payments in stablecoins, they route funds through multiple wallets and cash them out via sanctioned OTC brokers.

What companies are targeted by these North Korean IT schemes?

Companies with remote-first cultures and weak contractor vetting are the main targets - especially Web3 startups, crypto exchanges, blockchain development firms, and decentralized finance (DeFi) projects. These businesses often hire quickly, skip background checks, and use decentralized payment systems, making them easy targets for operatives using fake identities like “Joshua Palmer” or “Alex Hong.”

Can I check if a contractor is linked to North Korea?

You can’t directly check a person’s nationality, but you can screen for red flags: use OFAC’s SDN list to verify wallet addresses and company names; check for reused GitHub profiles across multiple platforms; look for payment requests in stablecoins with no KYC; and use blockchain analytics tools like TRM Labs or Chainalysis to flag transactions tied to known DPRK-linked addresses. If a contractor refuses to use a verified exchange for payouts, that’s a major warning sign.

What happens if my company accidentally pays a sanctioned North Korean worker?

If your company makes a payment to a sanctioned individual or entity, even unknowingly, you could face civil penalties from OFAC - including fines up to $1 million per violation. You’re also legally required to freeze any assets tied to the transaction and report it to OFAC immediately. Ignorance isn’t a defense. Regular screening and blockchain monitoring are your best protection.

Is crypto the main way North Korea evades sanctions now?

Yes. Since 2021, crypto theft has become North Korea’s top source of sanctioned revenue - surpassing traditional methods like arms sales or counterfeit currency. The U.S. Treasury estimates that over $2.1 billion was stolen in the first half of 2025 alone, with the funds used to finance ballistic missiles and nuclear weapons. Crypto’s anonymity and global reach make it ideal for bypassing financial controls.

OFAC Sanctions on North Korean Crypto Networks: How the U.S. Is Stopping $2.1 Billion in Cyber Theft

Comments (6)

Nina Meretoile
December 4, 2025 AT 17:44 PM

This is wild 🤯 I mean, we’re hiring devs from ‘Southeast Asia’ like it’s a Craigslist job post and some of them are literally building nukes? 😅 We need to treat remote work like airport security-no exceptions. If you’re getting paid in USDC, you better have a verified ID that doesn’t look like it was generated by a bot in Pyongyang.

Barb Pooley
December 5, 2025 AT 10:47 AM

OFAC is just using this to scare people into buying more crypto surveillance software. Meanwhile, the real thieves are in boardrooms and hedge funds. But sure, let’s blame North Korean ghost devs. 🤷‍♀️

Shane Budge
December 6, 2025 AT 17:08 PM

Fake GitHub profiles. Same IP clusters. Reused email patterns. That’s the fingerprint. Not the name.

sonia sifflet
December 7, 2025 AT 18:27 PM

You Americans think you're the only ones being hacked? Every tech company in India hires remote workers too. But we actually do background checks. You don't. This isn't a North Korean problem. It's a lazy hiring problem. Stop blaming geopolitics and fix your HR processes.

Nicole Parker
December 9, 2025 AT 17:59 PM

I just keep thinking about the people behind these fake identities. The ones who got recruited, maybe from a rural village in North Korea, told they’re building software for a tech startup. They don’t know their code is funding missiles. They think they’re just doing their job. And now they’re being called terrorists. It’s tragic. We’re not just fighting hackers-we’re fighting systems that turn people into weapons without their consent. We need to fix the machine, not just the face it wears.

Ben VanDyk
December 10, 2025 AT 00:17 AM

You say ‘block payments to unverified wallets’ like it’s that simple. What if the contractor uses a wallet they got from a friend? What if they use a DEX? What if they cash out through a friend in Dubai? You can’t police every transaction. This is like trying to stop water from leaking with a paper towel.