The U.S. Treasury's Office of Foreign Assets Control (OFAC) sanctioned six individuals and two companies on March 13 for their roles in a North Korean state-directed scheme that generated nearly $800 million in fraudulent IT worker earnings in 2024 alone.

How the Scheme Worked

North Korea's Reconnaissance General Bureau recruited and deployed teams of IT workers who used stolen identities, fabricated personas, and forged documents to secure remote employment at U.S. and allied companies. The operatives siphoned their wages back to Pyongyang to fund weapons of mass destruction and ballistic missile programs. In some cases, workers also planted malware inside employer networks to steal proprietary data.

The sanctioned network spanned Vietnam, Laos, Spain, and North Korea. Among the designated parties is Amnokgang Technology Development Company, a DPRK state-affiliated firm that managed overseas IT worker delegations and conducted military technology procurement. A Vietnam-based company, Quangvietdnbg, converted roughly $2.5 million into cryptocurrency for North Korean operatives between 2023 and 2025.

Crypto at the Center

OFAC designated 21 cryptocurrency wallet addresses across Ethereum, Tron, and Bitcoin — reflecting what blockchain analytics firm Chainalysis called the DPRK's increasingly multichain approach to moving illicit funds. TRM Labs traced over $12 million in transactions through Amnokgang-linked addresses, with flows connecting to sanctioned banks, Chinese darknet markets, and high-risk exchanges.

North Korea has become one of the most prolific crypto thieves globally. State-sponsored hackers stole more than $2 billion in cryptocurrency in 2025, including the record $1.4 billion Bybit exchange hack.

The Treasury's sanctions freeze all U.S. assets of the designated parties and prohibit American entities from transacting with them. Foreign financial institutions risk secondary sanctions for knowingly facilitating related transactions.