US Sanctions North Korean Entities for Cybercrime and IT Worker Fraud
The U.S. Treasury Department imposed sanctions on two North Korean financial institutions and eight individuals for laundering cryptocurrency stolen through cybercrime and fraudulent IT worker schemes. The designated entities include Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), as well as their executives and financial representatives operating in China and Russia. These individuals and organizations are accused of facilitating the movement of tens of millions of dollars in violation of UN sanctions, with funds linked to ransomware attacks and other cyber-enabled crimes targeting U.S. victims.
According to U.S. officials, North Korean cybercriminals have stolen over $3 billion in cryptocurrency over the past three years, employing advanced malware and social engineering tactics. Additionally, North Korean IT workers have generated hundreds of millions of dollars annually by concealing their identities and securing freelance work globally, with the proceeds supporting the regime's nuclear weapons program. The sanctions block all property and interests of the designated parties within U.S. jurisdiction, aiming to disrupt North Korea's ability to fund activities that threaten U.S. and global security.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
U.S. Treasury sanctions North Korean bankers, banks, and IT front company
The U.S. Department of the Treasury's Office of Foreign Assets Control announced sanctions on eight North Korean individuals and two banks, including First Credit Bank and Ryujong Credit Bank, for laundering cybercrime proceeds and IT-worker revenue. Treasury also sanctioned Korea Mangyongdae Computer Technology Company and its president U Yong Su, saying the network helped fund North Korea's WMD and ballistic missile programs.
North Korean IT worker schemes generate illicit overseas revenue
U.S. officials said North Korean IT workers, often using false identities in global freelance and outsourcing jobs, generated hundreds of millions of dollars annually. Treasury linked these operations to entities including Korea Mangyongdae Computer Technology Company and said the revenue supported the DPRK regime.
North Korean cyber actors steal over $3 billion in crypto over three years
According to the U.S. Treasury, DPRK-linked cyber actors stole more than $3 billion in digital assets over the prior three years, largely through cryptocurrency theft enabled by malware and social engineering. The proceeds were described as supporting North Korea's sanctions evasion and weapons programs.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
US Treasury Sanctions 8 North Koreans and 2 Banks for Laundering Crypto to Fund WMD Programs
securityonline.info
Open sourceUS sanctions North Korean bankers linked to cybercrime, IT worker fraud
bleepingcomputer.com
Open sourceU.S. sanctioned North Korea bankers for laundering funds linked to cyberattacks and peapons program
securityaffairs.com
Open sourceNorth Korean companies, people sanctioned for money laundering from cybercrime, IT worker schemes
cyberscoop.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
US Sanctions on North Korean IT Worker Cybercrime and Deepfake Job Schemes
The US Treasury Department imposed sanctions on eight individuals and two companies for their roles in laundering money earned for North Korea through cybercrime and a sophisticated IT worker fraud scheme. The sanctioned entities, including Korea Mangyongdae Computer Technology Company (KMCTC) and Ryujong Credit Bank, were accused of facilitating the movement of illicit funds generated by North Korean IT workers operating overseas, often using Chinese nationals as proxies. The scheme involved managing millions in cryptocurrency, some of which was linked to ransomware attacks, and directly contributed to funding North Korea's weapons development programs. In parallel, North Korean state-sponsored actors, specifically the Famous Chollima APT group (a division of Lazarus), have been caught using real-time AI deepfake technology to impersonate legitimate engineers during video job interviews at cryptocurrency and Web3 companies. These operatives used stolen identities and AI-powered facial filters to conceal their true appearance, aiming to infiltrate Western organizations for espionage and financial gain. Security researchers observed multiple failed attempts where the deepfake technology malfunctioned, exposing the fraudulent nature of the interviews and highlighting the evolving tactics used by North Korean cyber operatives to bypass security controls and sanctions.
Mar 21, 2026
UN and US Pressure Campaign Targets North Korea IT Worker Fraud and Crypto Theft Funding
U.S. officials urged UN member states to tighten enforcement of sanctions aimed at disrupting **North Korea’s revenue-generating cyber operations**, highlighting a UN session built around a 140-page report linking Pyongyang’s **fraudulent remote IT worker placements** (identity theft used to obtain jobs at Western firms) with **large-scale cryptocurrency thefts** used to fund the regime’s nuclear and ballistic missile programs. The report assessed that **more than 40 countries** have been impacted by either North Korean crypto heists—reported as surpassing **$2 billion** in the prior year—or IT worker activity, and it described how operatives can operate from third countries while using stolen identities to secure high-paying remote roles. The same broader threat picture was echoed in U.S. law-enforcement messaging that North Korea continues to leverage cyber activity to support weapons programs under sanctions pressure, with reporting citing estimates of roughly **$2.02 billion** in crypto stolen by North Korea-linked actors last year and noting FBI warnings about **Kimsuky**-linked **QR-code phishing**. Separately, U.S. officials criticized **Russia and China** for enabling North Korean schemes, including allegations that North Korea relies on Chinese infrastructure and financial institutions and that **Chinese banks and traders** are used to launder and cash out stolen cryptocurrency into fiat currency.
Mar 21, 2026
OFAC Sanctions Facilitators of North Korean IT Worker Fraud Using Cryptocurrency
The U.S. Treasury Department’s **Office of Foreign Assets Control (OFAC)** sanctioned **six individuals and two entities** for supporting North Korean government-directed **fraudulent IT worker schemes** that covertly place DPRK nationals into jobs at legitimate companies (including U.S. firms) using **stolen identities, fake personas, and fraudulent documentation**. U.S. officials said the program generated **nearly $800 million in 2024**, with wages largely diverted to fund the DPRK’s **WMD and ballistic missile programs**, and noted that some IT workers have also been linked to **malware introduction and data theft/extortion** inside victim environments.
Mar 21, 2026