The U.S. Department of the Treasury on Tuesday expanded sanctions against a network of North Korea–linked bankers, companies, and facilitators accused of laundering proceeds from cybercrime and illicit IT-worker schemes.
The Office of Foreign Assets Control (OFAC) designated eight individuals and two entities, including identified bankers and the Korean firm KMCTC, for moving and hiding cryptocurrency and other revenue that the Treasury says funds Pyongyang’s weapons programs.
“North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program,” Under Secretary for Terrorism and Financial Intelligence John K. Hurley said in the announcement. OFAC stated that the designated actors managed both crypto and fiat flows, and updated the Specially Designated Nationals (SDN) List with relevant cryptocurrency addresses tied to First Credit Bank.
How money laundering works, and how crypto changes it
Money laundering traditionally follows three steps:
- Placement: introduce illicit proceeds into the financial system;
- Layering: obscure the trail through multiple transfers and intermediaries;
- Integration: reintroduce cleaned funds as apparently legitimate assets.
With cryptocurrencies, exploiters follow the same objectives but change the mechanics. Accounts (addresses) can be created in seconds, funds move across chains at low cost, and swapping, tumblers/mixers, and unregulated venues enable complex layering that obfuscates provenance.
Unlike cash, crypto enables rapid, scriptable mass transfers that can be routed across dozens of services and jurisdictions, making traditional bank-centric tracking methods insufficient on their own.
The UN Office on Drugs and Crime estimates global money-laundering flows at 2–5% of GDP annually. Blockchain tracing firms and law enforcement increasingly warn that a large share of modern illicit proceeds now moves in crypto form, prompting new regulatory focus on exchange controls, on-chain analytics, and cross-border cooperation.
What OFAC targeted and why it matters
OFAC’s action names specific facilitators and entities tied to laundering networks:
- North Korean bankers Jang Kuk Chol and Ho Jong Son managed $5.3 million in crypto tied to ransomware and IT-worker operations for First Credit Bank.
- Korea Mangyongdae Computer Technology Company (KMCTC) and its president, U Yong Su, were sanctioned for running DPRK IT teams in China and laundering funds through proxy accounts.
- Treasury also identified a wider network using shell firms, offshore reps, and foreign banks, including in China and Russia, to move North Korean money.
Treasury tied these networks to the DPRK’s broader playbook: state-directed cyber theft, sophisticated social-engineering hacks, and contract fraud using coerced or falsified identities among overseas IT workers. OFAC said North Korea-affiliated cybercriminals stole more than $3 billion in crypto over the past three years.
The designations invoke multiple executive orders aimed at countering cyber-enabled crimes and sanctions evasion and expand the SDN entries to include cryptocurrency addresses — a sign that Treasury is treating on-chain identifiers as actionable sanctions targets.
Methods cited in recent DPRK schemes
Treasury’s statement and related reporting highlight recurring DPRK tactics:
- Fake IDs and proxies: DPRK IT workers hide nationality using false identities and local banking intermediaries.
- Cross-border laundering: Funds move through shells, lax corridors, and unregulated exchanges to erase trails.
- Crypto mixers and micro-transfers: Automated splits and merges obscure origins across countless wallets.
- Remote-hire infiltration: Operatives pose as freelancers to access company systems and steal data or assets.
Past incidents reinforce these methods: law enforcement investigations have connected Lazarus-style groups to major heists and laundering channels that exploit lax controls at small exchanges or OTC desks. High-profile breaches and infiltration attempts have pushed some U.S. firms to tighten hiring and security policies.
Broader context: previous incidents and industry reaction
Treasury’s action comes amid a string of high-profile attacks and corporate responses this year. Exchanges and service providers have tightened onboarding and employee vetting after reported attempts by DPRK operatives to secure contractor roles inside crypto firms. Coinbase, for example, instituted stricter rules for personnel handling sensitive systems after reporting targeted approaches by DPRK IT operatives.
Internationally, incidents such as the Lykke breach and other Lazarus operations have shown how quickly platform failures can cascade into insolvency, regulatory scrutiny, and cross-border enforcement actions. The UK Treasury and EU authorities have repeatedly warned that unchecked stablecoin and crypto flows can pose systemic and cyber risks.
What comes next: enforcement and industry measures
The U.S. Treasury said it will continue to pursue the financial facilitators that enable DPRK schemes, emphasizing collaboration with law enforcement, financial-sector partners, and allied jurisdictions.
The Treasury’s next steps include expanding the monitoring and designation of cryptocurrency addresses linked to sanctioned entities, increasing scrutiny of banking proxies and cross-border correspondent transactions, and intensifying pressure on exchanges, custodians, and over-the-counter (OTC) desks to strengthen KYC and AML screening while cooperating more closely on freezing and recovering illicit funds.
For crypto firms, the sanctions are a warning shot: tighten identity checks, strengthen on-chain tracking, and lock down fiat gateways, or risk becoming part of the laundering chain.
Bottom line
Treasury’s action signals a hardening stance: sanctions will target not only operational hackers but also the financial pipelines that let state-backed schemes convert stolen crypto into usable revenue.
As OFAC moves to tie on-chain identifiers to enforcement, both crypto firms and traditional banks face growing pressure to shore up controls or risk becoming conduits for illicit state financing. The enforcement push is likely to accelerate cross-border collaboration and, for the industry, force faster adoption of stronger compliance and operational defenses.
Also read: Curve Finance Warns DeFi Developers After $116M Balancer Hack
