US Sanctions on North Korean IT Worker Cybercrime and Deepfake Job Schemes
The US Treasury Department imposed sanctions on eight individuals and two companies for their roles in laundering money earned for North Korea through cybercrime and a sophisticated IT worker fraud scheme. The sanctioned entities, including Korea Mangyongdae Computer Technology Company (KMCTC) and Ryujong Credit Bank, were accused of facilitating the movement of illicit funds generated by North Korean IT workers operating overseas, often using Chinese nationals as proxies. The scheme involved managing millions in cryptocurrency, some of which was linked to ransomware attacks, and directly contributed to funding North Korea's weapons development programs.
In parallel, North Korean state-sponsored actors, specifically the Famous Chollima APT group (a division of Lazarus), have been caught using real-time AI deepfake technology to impersonate legitimate engineers during video job interviews at cryptocurrency and Web3 companies. These operatives used stolen identities and AI-powered facial filters to conceal their true appearance, aiming to infiltrate Western organizations for espionage and financial gain. Security researchers observed multiple failed attempts where the deepfake technology malfunctioned, exposing the fraudulent nature of the interviews and highlighting the evolving tactics used by North Korean cyber operatives to bypass security controls and sanctions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
U.S. Treasury sanctions North Korean laundering network tied to cybercrime
The U.S. Treasury Department's OFAC sanctioned eight individuals and two North Korean-linked entities, including Korea Mangyongdae Computer Technology Company and Ryujong Credit Bank, for laundering proceeds from cybercrime and the DPRK's fraudulent IT worker scheme. Treasury said facilitators in China and Russia moved millions of dollars, including cryptocurrency connected to ransomware and fake-identity IT jobs, to help fund the regime.
Quetzal Team observes AI-deepfake fake interviews targeting crypto firm
Quetzal Team analysts documented two consecutive attempts by operators linked to North Korea's Famous Chollima to interview for a Senior Software Engineer role at a cryptocurrency company using stolen identities, resumes, and real-time AI facial filters. The impostors were exposed by deepfake artifacts, inconsistent behavior, inability to speak claimed native Spanish, and LinkedIn profiles disappearing after the calls.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
U.S. Sanctions 10 North Korean Entities for Laundering $12.7M in Crypto and IT Fraud
thehackernews.com
Open sourceUS slaps sanctions on North Koreans involved in cybercrime, IT worker asset laundering
scworld.com
Open sourceTreasury sanctions 8 for laundering North Korea earnings from cybercrime, IT worker scheme
therecord.media
Open sourceNorth Korean Hackers Caught on Video Using AI Filters in Fake Job Interviews
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
US Sanctions North Korean Entities for Cybercrime and IT Worker Fraud
The U.S. Treasury Department imposed sanctions on two North Korean financial institutions and eight individuals for laundering cryptocurrency stolen through cybercrime and fraudulent IT worker schemes. The designated entities include Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), as well as their executives and financial representatives operating in China and Russia. These individuals and organizations are accused of facilitating the movement of tens of millions of dollars in violation of UN sanctions, with funds linked to ransomware attacks and other cyber-enabled crimes targeting U.S. victims. According to U.S. officials, North Korean cybercriminals have stolen over $3 billion in cryptocurrency over the past three years, employing advanced malware and social engineering tactics. Additionally, North Korean IT workers have generated hundreds of millions of dollars annually by concealing their identities and securing freelance work globally, with the proceeds supporting the regime's nuclear weapons program. The sanctions block all property and interests of the designated parties within U.S. jurisdiction, aiming to disrupt North Korea's ability to fund activities that threaten U.S. and global security.
Mar 21, 2026
OFAC Sanctions Facilitators of North Korean IT Worker Fraud Using Cryptocurrency
The U.S. Treasury Department’s **Office of Foreign Assets Control (OFAC)** sanctioned **six individuals and two entities** for supporting North Korean government-directed **fraudulent IT worker schemes** that covertly place DPRK nationals into jobs at legitimate companies (including U.S. firms) using **stolen identities, fake personas, and fraudulent documentation**. U.S. officials said the program generated **nearly $800 million in 2024**, with wages largely diverted to fund the DPRK’s **WMD and ballistic missile programs**, and noted that some IT workers have also been linked to **malware introduction and data theft/extortion** inside victim environments.
Mar 21, 2026
North Korean Fake IT Worker Network Infiltrates Western Firms and Funds Pyongyang
U.S. authorities and multiple security firms detailed a large North Korean scheme in which operatives use stolen or fabricated identities to win remote IT jobs at Western companies, then send the earnings back to Pyongyang in violation of sanctions. Research from IBM X-Force, Flare, Microsoft, LevelBlue, and others described a mature ecosystem of recruiters, facilitators, brokers, laptop-farm operators, and Western collaborators that helps workers pass interviews, receive corporate devices, mask their locations with VPNs, and clear payroll and compliance checks. Estimates cited across the reporting say more than 100,000 workers operating across dozens of countries may be generating roughly **$500 million annually**, while some cases also involved data theft, source-code exfiltration, extortion, and malware activity after hiring. The U.S. Treasury's Office of Foreign Assets Control sanctioned six individuals and two entities tied to the operation, while U.S. courts sentenced three Americans, including a former Army soldier, for helping North Korean workers use false identities and laptop farms to obtain jobs at U.S. companies. Investigations also exposed operational tradecraft including use of **Astrill VPN**, **NetKey/OConnect**, **IP Messenger**, freelance platforms, AI-generated resumes and headshots, and U.S.-based hardware relays such as PiKVM-enabled laptop farms; one hired worker was removed within 10 days after suspicious logins from China and Missouri triggered detection. Researchers and federal advisories warned that remote hiring has become an insider-threat and sanctions-compliance risk, urging tighter identity verification, live skills testing, device and geolocation controls, least-privilege access, and joint oversight by HR, recruiters, and security teams.
Jun 21, 2026