U.S. Sanctions North Korean Crypto Laundering Network Tied to $12.7 Million in Fraud

U.S. Sanctions North Korean Crypto Laundering Network Tied to $12.7 Million in Fraud

The U.S. Treasury Department has announced sweeping sanctions against 10 individuals and organizations linked to North Korea, accusing them of laundering millions in cryptocurrency and orchestrating fraudulent IT work schemes to secretly fund the regime’s nuclear and cyber operations.

Officials say the network operated across China, Russia, and North Korea, funneling digital assets and wages from disguised tech workers into accounts used to finance the country’s weapons programs.

A Digital Funding Stream for Weapons Development

For years, North Korean hacking units have stolen and laundered money through the crypto economy to sustain their nuclear ambitions. According to Treasury officials, those operations have now expanded to include false employment schemes, where North Korean IT professionals pose as remote freelancers, get hired by foreign companies, and redirect their paychecks back home.

“These actors steal and launder funds to advance Pyongyang’s weapons development, directly threatening U.S. and global security,”

said John K. Hurley, Under Secretary for Terrorism and Financial Intelligence.

The sanctions target a mix of individual facilitators, IT front companies, and proxy financial institutions that have quietly supported these illicit activities for years.

How the Scheme Worked

Investigators identified a complex network designed to hide the origin of North Korean money using both traditional banking and cryptocurrency channels.

🔍 Key entities and individuals include:

• First Credit Bank: A North Korean financial institution previously sanctioned in 2017. Its associates Jang Kuk Chol and Ho Jong Son managed over $5.3 million in crypto transactions.

• Korea Mangyongdae Computer Technology Company (KMCTC): A front company that sent IT worker teams to Shenyang and Dandong, China, using Chinese nationals as intermediaries to conceal funds.

• Ryujong Credit Bank: Helped move money between North Korea and China in violation of international restrictions.

• Five senior North Korean representatives operating out of Russia and China who coordinated multi-million-dollar transfers for sanctioned banks.

Blockchain forensics firm TRM Labs tracked wallet activity tied to First Credit Bank, uncovering patterns that resembled regular payroll deposits. Those digital wallets collectively received more than $12.7 million between mid-2023 and mid-2025, proving the operation had been active for years.

The Hidden Army of “IT Workers”

The U.S. Treasury also detailed how North Korean IT specialists have been quietly embedding themselves in legitimate companies around the world. Using fake identities and VPNs to hide their origins, these workers apply for remote jobs, deliver real projects, and then divert earnings back to Pyongyang.

In some cases, they even hire unsuspecting freelance programmers to collaborate under false pretenses — splitting profits to avoid suspicion while increasing revenue flow to North Korea.

This tactic allows the regime to generate steady income while bypassing the sanctions that limit traditional trade and finance.

The Global Risk

North Korea’s cyber operations are among the most advanced and financially motivated in the world. Over the past three years, experts estimate that state-backed hackers have stolen more than $3 billion in digital assets, often through malware, phishing, and social engineering attacks on crypto platforms and financial systems.

The latest sanctions send a message that the U.S. is prepared to disrupt every layer of that ecosystem — from the hackers who steal funds to the banks and brokers that launder them.

What Businesses Should Take Away

This investigation highlights how deeply state-sponsored cybercrime has evolved into a global economy. For companies, especially those managing remote teams or digital payments, the lessons are clear:

• Verify freelancer identities and work locations before hiring.

• Implement strict vendor vetting and payment oversight for offshore contractors.

• Monitor cryptocurrency transactions and cross-border transfers for red flags.

• Educate teams about social engineering and remote access risks.

Illicit IT labor and crypto laundering are no longer isolated events — they’re part of a coordinated strategy to exploit global digital infrastructure for geopolitical gain.

The Bigger Picture

Taken together, the sanctioned individuals and organizations represent a core component of North Korea’s sanctions evasion framework. By fusing crypto laundering, remote work infiltration, and classic bank fraud, the regime has built a pipeline that turns stolen data and wages into missile parts and cyber capabilities.

The U.S. and its allies are now focused on cutting off that pipeline before it grows even larger — and before other nations adopt similar tactics.