UN and US Pressure Campaign Targets North Korea IT Worker Fraud and Crypto Theft Funding
U.S. officials urged UN member states to tighten enforcement of sanctions aimed at disrupting North Korea’s revenue-generating cyber operations, highlighting a UN session built around a 140-page report linking Pyongyang’s fraudulent remote IT worker placements (identity theft used to obtain jobs at Western firms) with large-scale cryptocurrency thefts used to fund the regime’s nuclear and ballistic missile programs. The report assessed that more than 40 countries have been impacted by either North Korean crypto heists—reported as surpassing $2 billion in the prior year—or IT worker activity, and it described how operatives can operate from third countries while using stolen identities to secure high-paying remote roles.
The same broader threat picture was echoed in U.S. law-enforcement messaging that North Korea continues to leverage cyber activity to support weapons programs under sanctions pressure, with reporting citing estimates of roughly $2.02 billion in crypto stolen by North Korea-linked actors last year and noting FBI warnings about Kimsuky-linked QR-code phishing. Separately, U.S. officials criticized Russia and China for enabling North Korean schemes, including allegations that North Korea relies on Chinese infrastructure and financial institutions and that Chinese banks and traders are used to launder and cash out stolen cryptocurrency into fiat currency.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
North Korea rejects UN discussion of its cyber and IT worker operations
North Korea's mission to the United Nations responded to the UN discussion by rejecting the allegations and accusing the United States of politicizing the UN and violating international norms. The statement came after the presentation of the multilateral sanctions monitoring report.
U.S. urges UN member states to crack down on North Korean sanctions evasion
At the UN discussion of the monitoring report, the United States called on member states to take stronger action against North Korea's overseas IT worker scheme, crypto thefts, and laundering networks. U.S. officials also alleged that Chinese banks, infrastructure, and traders, along with Russian support, helped facilitate the activity.
UN report says North Korean IT worker scams and crypto thefts hit 40+ countries
A 140-page Multilateral Sanctions Monitoring Team report presented at UN headquarters said North Korea's IT worker fraud and cryptocurrency theft operations affected more than 40 countries. The report linked identity theft, remote employment at Western firms, and more than $2 billion in crypto thefts to funding Pyongyang's nuclear and ballistic missile programs.
FBI says arrests of North Korean, Chinese, and Russian spies rose 35% in 2025
FBI Director Kash Patel said apprehensions of North Korean, Chinese, and Russian spies increased by 35% from 2024 to 2025 as part of U.S. counterterrorism and counterespionage crackdowns. He made the remarks during a podcast interview highlighted in reporting published in January 2026.
North Korea-linked groups steal nearly $2.02 billion in cryptocurrency in 2025
Chainalysis assessed that North Korea-linked actors stole almost $2.02 billion in cryptocurrency during 2025, targeting high-value victims to generate large returns. The thefts were described as part of Pyongyang's broader sanctions-evasion and weapons-funding efforts.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
US Sanctions North Korean Entities for Cybercrime and IT Worker Fraud
The U.S. Treasury Department imposed sanctions on two North Korean financial institutions and eight individuals for laundering cryptocurrency stolen through cybercrime and fraudulent IT worker schemes. The designated entities include Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), as well as their executives and financial representatives operating in China and Russia. These individuals and organizations are accused of facilitating the movement of tens of millions of dollars in violation of UN sanctions, with funds linked to ransomware attacks and other cyber-enabled crimes targeting U.S. victims. According to U.S. officials, North Korean cybercriminals have stolen over $3 billion in cryptocurrency over the past three years, employing advanced malware and social engineering tactics. Additionally, North Korean IT workers have generated hundreds of millions of dollars annually by concealing their identities and securing freelance work globally, with the proceeds supporting the regime's nuclear weapons program. The sanctions block all property and interests of the designated parties within U.S. jurisdiction, aiming to disrupt North Korea's ability to fund activities that threaten U.S. and global security.
Mar 21, 2026
OFAC Sanctions Facilitators of North Korean IT Worker Fraud Using Cryptocurrency
The U.S. Treasury Department’s **Office of Foreign Assets Control (OFAC)** sanctioned **six individuals and two entities** for supporting North Korean government-directed **fraudulent IT worker schemes** that covertly place DPRK nationals into jobs at legitimate companies (including U.S. firms) using **stolen identities, fake personas, and fraudulent documentation**. U.S. officials said the program generated **nearly $800 million in 2024**, with wages largely diverted to fund the DPRK’s **WMD and ballistic missile programs**, and noted that some IT workers have also been linked to **malware introduction and data theft/extortion** inside victim environments.
Mar 21, 2026
North Korea Turns Cryptocurrency Theft Into a State Revenue Stream
Recorded Future’s Insikt Group reported that North Korea has made cryptocurrency theft a major state-backed source of income, stealing an estimated **$3 billion since 2017**. The report says Pyongyang shifted from **SWIFT-related financial theft** to targeting cryptocurrency during the 2017 crypto boom, initially focusing on South Korea before expanding operations globally. In **2022 alone**, North Korean threat actors were accused of stealing **$1.7 billion**, accounting for **44% of all cryptocurrency stolen worldwide** that year. The stolen funds are reportedly laundered with techniques similar to those used by conventional cybercriminals, including the use of **stolen identities** and **altered photos** to evade anti-money-laundering controls. Recorded Future said the proceeds help the regime blunt the impact of international sanctions and support military and weapons programs, while warning that **cryptocurrency exchanges, individual holders, venture capital firms, and other crypto-related organizations** remain exposed unless cybersecurity, regulation, and investment improve.
May 25, 2026