OFAC Sanctions Facilitators of North Korean IT Worker Fraud Using Cryptocurrency
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned six individuals and two entities for supporting North Korean government-directed fraudulent IT worker schemes that covertly place DPRK nationals into jobs at legitimate companies (including U.S. firms) using stolen identities, fake personas, and fraudulent documentation. U.S. officials said the program generated nearly $800 million in 2024, with wages largely diverted to fund the DPRK’s WMD and ballistic missile programs, and noted that some IT workers have also been linked to malware introduction and data theft/extortion inside victim environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
OFAC sanctions DPRK IT worker facilitators and related crypto addresses
On March 12, 2026, the U.S. Treasury Department's OFAC sanctioned six individuals and two entities supporting North Korea's IT worker fraud schemes across North Korea, Vietnam, Laos, and Spain. OFAC also designated 21 cryptocurrency addresses and updated the designation of a previously sanctioned DPRK financial facilitator with additional crypto addresses.
U.S. sanctions Kim Se Un over major Vietnam-based DPRK IT worker operations
In July 2025, the United States sanctioned North Korean national Kim Se Un for allegedly running major parts of the DPRK IT worker operation in Vietnam. U.S. authorities also offered a $3 million State Department bounty tied to his role.
North Korean IT worker scheme generates nearly $800 million in 2024
U.S. authorities assessed that North Korea's state-directed overseas IT worker operations generated nearly $800 million during 2024. The scheme used fraudulent identities and remote jobs at legitimate companies, with some cases involving malware deployment and extortion.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
New US sanctions on North Korean IT worker scheme issued | brief | SC Media
scworld.com
Open sourceBeyond IT Worker Fraud: OFAC's Latest DPRK Designations Show Broader Sanctions and National Security Risk | TRM Blog
trmlabs.com
Open sourceOFAC Targets DPRK IT Workers Using Crypto
chainalysis.com
Open sourceUS sanctions North Korea IT worker networks in Laos, Vietnam | The Record from Recorded Future News
therecord.media
Open sourceTreasury Sanctions Facilitators of DPRK IT Worker Fraud Targeting U.S. Businesses | U.S. Department of the Treasury
home.treasury.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean Fake IT Worker Network Infiltrates Western Firms and Funds Pyongyang
U.S. authorities and multiple security firms detailed a large North Korean scheme in which operatives use stolen or fabricated identities to win remote IT jobs at Western companies, then send the earnings back to Pyongyang in violation of sanctions. Research from IBM X-Force, Flare, Microsoft, LevelBlue, and others described a mature ecosystem of recruiters, facilitators, brokers, laptop-farm operators, and Western collaborators that helps workers pass interviews, receive corporate devices, mask their locations with VPNs, and clear payroll and compliance checks. Estimates cited across the reporting say more than 100,000 workers operating across dozens of countries may be generating roughly **$500 million annually**, while some cases also involved data theft, source-code exfiltration, extortion, and malware activity after hiring. The U.S. Treasury's Office of Foreign Assets Control sanctioned six individuals and two entities tied to the operation, while U.S. courts sentenced three Americans, including a former Army soldier, for helping North Korean workers use false identities and laptop farms to obtain jobs at U.S. companies. Investigations also exposed operational tradecraft including use of **Astrill VPN**, **NetKey/OConnect**, **IP Messenger**, freelance platforms, AI-generated resumes and headshots, and U.S.-based hardware relays such as PiKVM-enabled laptop farms; one hired worker was removed within 10 days after suspicious logins from China and Missouri triggered detection. Researchers and federal advisories warned that remote hiring has become an insider-threat and sanctions-compliance risk, urging tighter identity verification, live skills testing, device and geolocation controls, least-privilege access, and joint oversight by HR, recruiters, and security teams.
Jun 21, 2026
US Sanctions North Korean Entities for Cybercrime and IT Worker Fraud
The U.S. Treasury Department imposed sanctions on two North Korean financial institutions and eight individuals for laundering cryptocurrency stolen through cybercrime and fraudulent IT worker schemes. The designated entities include Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), as well as their executives and financial representatives operating in China and Russia. These individuals and organizations are accused of facilitating the movement of tens of millions of dollars in violation of UN sanctions, with funds linked to ransomware attacks and other cyber-enabled crimes targeting U.S. victims. According to U.S. officials, North Korean cybercriminals have stolen over $3 billion in cryptocurrency over the past three years, employing advanced malware and social engineering tactics. Additionally, North Korean IT workers have generated hundreds of millions of dollars annually by concealing their identities and securing freelance work globally, with the proceeds supporting the regime's nuclear weapons program. The sanctions block all property and interests of the designated parties within U.S. jurisdiction, aiming to disrupt North Korea's ability to fund activities that threaten U.S. and global security.
Mar 21, 2026
US Sanctions on North Korean IT Worker Cybercrime and Deepfake Job Schemes
The US Treasury Department imposed sanctions on eight individuals and two companies for their roles in laundering money earned for North Korea through cybercrime and a sophisticated IT worker fraud scheme. The sanctioned entities, including Korea Mangyongdae Computer Technology Company (KMCTC) and Ryujong Credit Bank, were accused of facilitating the movement of illicit funds generated by North Korean IT workers operating overseas, often using Chinese nationals as proxies. The scheme involved managing millions in cryptocurrency, some of which was linked to ransomware attacks, and directly contributed to funding North Korea's weapons development programs. In parallel, North Korean state-sponsored actors, specifically the Famous Chollima APT group (a division of Lazarus), have been caught using real-time AI deepfake technology to impersonate legitimate engineers during video job interviews at cryptocurrency and Web3 companies. These operatives used stolen identities and AI-powered facial filters to conceal their true appearance, aiming to infiltrate Western organizations for espionage and financial gain. Security researchers observed multiple failed attempts where the deepfake technology malfunctioned, exposing the fraudulent nature of the interviews and highlighting the evolving tactics used by North Korean cyber operatives to bypass security controls and sanctions.
Mar 21, 2026