U.S. Escalates Crackdown on North Korea’s Cyber Heists and IT Fraud Networks
With the United States and many of its international allies imposing staunch sanctions on the Democratic People’s Republic of Korea (DPRK) related to the country’s increasingly destabilizing activities (including its nuclear and ballistic missile programs and human rights abuses over the past decade), North Korea has developed into a hub for state-sponsored sanctions evasion activity in order to keep its economic lifelines afloat. Arguably, the most lucrative avenue explored by the DPRK in this regard has been cybercrime. The country’s increasingly sophisticated cyber operations have successfully allowed the regime to generate foreign currency quickly while circumventing economic sanctions, pilfer valuable proprietary data, personal information, and cryptocurrency that can be used to facilitate additional fundraising efforts, and have even disrupted the daily governmental activities of their adversaries — with each of these outlets allowing for regime priorities to be executed in the process.
The scale and ambition of these illicit operations have grown exponentially over recent years, and have not been strictly financially motivated. The greatest degree of damage caused has undoubtedly been through ransomware exploits and data breaches targeting the U.S. healthcare industry and military-related systems in the early 2020’s. In 2021, a hacking group tied to North Korea’s military intelligence agency – the Reconnaissance General Bureau (RGB) – launched a series of ransomware attacks against hospitals across the United States, paralyzing their diagnostic systems and providing access to classified patient data, with those behind the operations seeking payment (via cryptocurrency) to restore operations to these institutions.1 Further, a 2022 data breach run by the same group compromised servers at a U.S. Air Force base, allowing the group to steal over 47 total gigabytes of unclassified technical data including military-aircraft and satellite-material information from NASA’S Office of the Inspector General as well as various defense contractors.1 These exploits targeting critical American infrastructure have threatened national security and risked exposure of defense-related data to foreign adversaries.
Most recently, the DPRK has been able to sponsor national operatives in their efforts to gain employment with U.S. technology and IT firms under false pretenses. The U.S. Department of Justice (DOJ) announced in mid-2025 that the reach of these illicit activities was significant – as facilitators of these schemes ultimately placed remote workers at over 136 U.S. companies. In most cases, North Korean-employed operatives used stolen or fake identities to gain access to the inner workings of American companies and steal sensitive data. It was later discovered that several of these operatives were successful in installing remote-management tools, and compromising proprietary or defense-related information inside the U.S. companies in which they gained access, leading to significant data theft and causing irreparable damage to the integrity of the U.S. tech industry.
To date, the U.S. government has remained proactive in their efforts to thwart these illicit activities and have continued to increase the scope of their sanctions on bad actors operating on behalf of the DPRK. On November 4th, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) announced the imposition of new sanctions on eight individuals and two entities linked to North Korea’s sophisticated cybercrime and overseas IT worker schemes that have generated billions to fund the regime’s activities. The designations follow the aforementioned surge in DPRK-linked cryptocurrency thefts, with hackers stealing an estimated $1.65 billion in digital assets in the first nine months of 2025 alone, while pushing their three-year total past $3 billion.
This latest action aligns with an October 2025 report by the Multilateral Sanctions Monitoring Team which documented systematic DPRK violations of UN resolutions, including the deployment of thousands of IT workers who falsely present themselves as non-North Korean residents on freelance platforms. These workers, often based in China, Russia, and Southeast Asia, were found to remit up to 80% of their earnings to state-controlled accounts. These funds are generally then laundered through mixing services, decentralized exchanges, and over-the-counter brokers before being converted into resources for Pyongyang’s weapons development. Blockchain analysis by TRM Labs identified 53 cryptocurrency addresses tied to the sanctioned parties, holding approximately $5.4 million at the time of freezing. Cryptocurrency stablecoin Tether also cooperated by blacklisting related USDT holdings earlier in 2025.
As detailed in OFAC’s report, among those sanctioned are two North Korean bankers who provided material assistance to the DPRK by managing funds, including $5.3 million in cryptocurrency, on behalf of OFAC-designated First Credit Bank. The sanctions also included Korea Mangyongdae Computer Technology Company (KMCTC), an IT company based in North Korea that operates IT worker delegations from at least two cities in China, Shenyang and Dandong. Operatives on behalf of the company reportedly used Chinese nationals as banking proxies in order to obfuscate the origin of funds generated by the DPRK IT workers’ illicit revenue generation schemes.2 The announced measures also targeted the sanctions evasion networks that the DPRK uses to launder revenue generated through their illicit financial activities, including this fraudulent IT work. Ryujong Credit Bank is a North Korea-based financial institution that was found to have provided financial assistance in sanctions avoidance activities between China and North Korea.2 The other named individuals in the announcement are Ho Yong Chol, Han Hong Gil (Han), Jong Sung Hyok (Jong), Choe Chun Pom (Choe) and Ri Jin Hyok (Ri), each of which are China or Russia-based North Korean representatives of DPRK financial institutions who assisted in facilitating the transfer of funds to and from the DPRK.2
In a statement released following the sanctions’ announcement, Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley stated that by generating revenue for Pyongyang’s weapons development, the named actors “directly threaten U.S. and global security”, adding that the “Treasury will continue to pursue the facilitators and enablers behind these schemes to cut off the DPRK’s illicit revenue streams.” In the wake of the move, domestic and international financial institutions now face elevated compliance obligations in their own right. U.S. persons must block any property of the designated parties and report it to OFAC, with transactions involving entities 50% or more owned by blocked persons also prohibited. Secondary sanctions risks extend to non-U.S. institutions that knowingly facilitate significant transactions with these networks.
Regulators worldwide have also urged enhanced due diligence on future remote IT hires exhibiting red flags (e.g., use of residential proxies, reluctance for video interviews, or payment routing through third countries), cryptocurrency flows originating from addresses linked to known DPRK laundering clusters, and unusual freelance payment patterns involving high-volume contracts with limited verifiable identity. All told, the November designations mark the latest chapter in a broader international effort to disrupt North Korea’s fusion of state-sponsored cybercrime and global labor export schemes. With the Republic’s criminal exploits growing in scale and sophistication, financial institutions and technology platforms are under increasing pressure to close the gaps that have allowed billions in illicit revenue to flow unchecked.
Citations
- Legare, Robert, and Nicole Sganga. “North Korean Charged in Ransomware Attacks on NASA, U.S. Hospitals; $10 Million Reward Offered.” CBS News, 25 July 2024.
- S. Department of the Treasury. “Treasury Sanctions DPRK Bankers and Institutions Involved in Laundering Cybercrime Proceeds and IT Worker Funds.” U.S. Department of the Treasury, 4 Nov. 2025.