OFAC Sanctions on North Korean Crypto Networks: How the U.S. Is Targeting $2.1 Billion in Stolen Crypto

OFAC Sanctions on North Korean Crypto Networks: How the U.S. Is Targeting $2.1 Billion in Stolen Crypto
Feb, 13 2026

North Korea isn’t just building missiles-it’s building crypto theft networks. Since 2021, U.S. officials estimate that Pyongyang’s state-backed hackers have stolen over $2.1 billion in cryptocurrency in just the first half of 2025 alone. This isn’t random hacking. It’s a highly organized, global operation run by the Workers’ Party of Korea, using fake IT workers embedded in American tech companies to steal data, demand ransoms, and launder money through crypto. And the U.S. government is fighting back-with sanctions that hit harder than ever.

How North Korea’s Crypto Theft Works

It starts with a job application. A person claims to be a freelance blockchain developer from South Korea or the Philippines. They have a polished GitHub profile, a Medium blog with technical posts, and a LinkedIn account that looks real. They get hired by a U.S. crypto startup or Web3 company. They work remotely. They deliver code. They get paid in USDC or ETH.

But here’s the twist: that person doesn’t exist. Or rather, they’re a fake identity created by North Korean operatives. These workers are part of a system called "overseas IT worker schemes." They’re not just coders-they’re spies. While doing legitimate work, they quietly map out the company’s internal systems, steal access keys, and look for vulnerabilities. Once they have what they need, they trigger ransomware, drain wallets, or siphon funds directly.

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) calls these actors by codenames like Famous Chollima, a North Korean cyber unit specializing in crypto theft and IT worker fraud, Jasper Sleet, a network linked to ransomware attacks on U.S. crypto firms, and UNC5267, a group tied to systematic identity theft and money laundering via centralized exchanges.

They use stolen identities. Fake passports. Bogus work visas. Some even pose as students or remote contractors from Eastern Europe. Their tools? Common platforms like Freelancer, RemoteHub, and WorkSpace.ru-places where companies hire freelancers without deep background checks.

The $2.1 Billion Problem

According to blockchain analytics firm TRM Labs, North Korean actors stole $2.1 billion in crypto in the first six months of 2025. That’s more than the entire year of 2024. Most of it came from small and mid-sized crypto firms that hired remote workers without proper vetting.

The stolen funds don’t stay in crypto for long. They’re moved through a web of wallets, mixed with legitimate transactions, and converted into cash. One key method? Over-the-counter (OTC) brokers in the UAE and Russia. These brokers, often unaware they’re dealing with stolen money, exchange ETH or USDC for U.S. dollars in cash. Then the cash is shipped or wired to North Korea.

One individual, Kim Ung Sun, a North Korean operative who facilitated nearly $600,000 in crypto-to-cash conversions, was sanctioned by OFAC in August 2025. He used fake identities like "Joshua Palmer" and "Alex Hong" to collect payments from U.S. employers. His transfers were traced to wallets linked to previously sanctioned DPRK operatives like Kim Sang Man, a senior DPRK financial coordinator tied to weapons funding and Sim Hyon Sop, a known DPRK money launderer with ties to Russian financial institutions.

The Department of Justice filed a civil forfeiture complaint in June 2025 seeking over $7.7 million in seized assets-including ETH, USDC, and even high-value NFTs-all tied to this network.

Who Got Sanctioned-and Why

On August 27, 2025, OFAC announced its biggest wave of sanctions yet. It targeted:

  • Vitaliy Sergeyevich Andreyev, a Russian national who helped route stolen crypto through Russian infrastructure
  • Kim Ung Sun, the North Korean facilitator behind multiple cash conversions
  • Shenyang Geumpungri Network Technology Co., Ltd, a Chinese front company that hired fake IT workers for DPRK operations
  • Korea Sinjin Trading Corporation, a North Korean entity that funneled stolen crypto into global markets
  • Korea Sobaeksu Trading Company, a sanctions-evading entity tied to Kim Se Un, Jo Kyong Hun, and Myong Chol Min
These aren’t random names. They’re nodes in a global network. Each one plays a role: one handles fake identities, another moves money through Russian IPs, a third converts crypto to cash in Dubai, and a fourth funnels the cash into North Korean military accounts.

The sanctions freeze any U.S.-based assets these people or companies hold. They also make it illegal for any American or U.S. company to do business with them. That includes paying them, sending them crypto, or even using a wallet that once interacted with one of their addresses.

A global network of sanctioned entities connected by red transaction lines leading to a DPRK military symbol.

How the U.S. Is Fighting Back

This isn’t just OFAC’s fight. It’s a whole-of-government operation.

The FBI and Homeland Security Investigations seized wallets and traced transactions across 12 countries. The Department of Justice filed civil forfeiture cases. The State Department coordinated with South Korea and Japan to issue joint warnings. The Treasury’s Financial Crimes Enforcement Network (FinCEN) issued alerts to crypto exchanges.

Blockchain analytics firms like TRM Labs now monitor over 8,000 cryptocurrency addresses linked to DPRK actors. They track patterns: wallets that receive small deposits from dozens of sources, then send large sums to OTC brokers in Russia. Wallets that sit idle for months, then suddenly transfer ETH to a known sanctioned address.

One key discovery? North Korea’s hackers are reusing the same fake identities across multiple operations. "Joshua Palmer" wasn’t just one person. He was a template. Used in 17 different companies. Paid in USDC. Always used the same GitHub profile. Always signed off with the same signature.

What This Means for Crypto Companies

If you run a crypto startup and hire remote developers, you’re at risk. You don’t need to be a target to get caught in the crossfire. If one of your contractors turns out to be a DPRK operative, your company could be flagged as a facilitator. Your transaction history could be frozen. Your bank might cut you off.

The U.S. government now expects companies to screen for indirect exposure. That means checking:

  • Does your contractor use a VPN or proxy from Russia, China, or Laos?
  • Do they have a history of working with multiple companies in the last 6 months?
  • Are their GitHub or LinkedIn profiles created in the last 30 days with no real work history?
  • Do they insist on being paid in stablecoins like USDC, with no tax forms or ID verification?
Many firms are now using tools that scan for behavioral red flags: sudden changes in wallet patterns, multiple small payments from different employers, or transfers to wallets previously flagged by OFAC.

Fake IT workers draining a crypto wallet as an OFAC seal crushes it, with coins falling like rain.

Where the Money Goes

Every dollar stolen from U.S. crypto firms doesn’t go to a luxury car or a private island. It goes to weapons.

The U.S. Treasury says the funds directly support North Korea’s ballistic missile program, nuclear warhead development, and cyber warfare units. In 2025 alone, the regime used crypto theft to fund over 12 missile tests. That’s not speculation-it’s based on financial tracing of funds linked to the DPRK’s Ministry of People’s Armed Forces.

The regime doesn’t need to hack banks. It doesn’t need to steal from ATMs. It just needs to hire a fake coder in a home office in Shenyang-and they get a billion-dollar payoff.

What’s Next?

OFAC isn’t done. More designations are expected in early 2026. Investigators are digging into networks in Laos, Cambodia, and Southeast Asia, where North Korean front companies operate under the guise of IT outsourcing firms.

Crypto exchanges are under pressure to block transactions tied to sanctioned addresses. Some have started freezing wallets that show patterns matching DPRK laundering techniques: rapid fragmentation of funds, use of privacy coins like Monero, or transfers to known OTC brokers.

The message is clear: if you’re a crypto company hiring remote workers, you’re part of the frontline. Ignorance won’t protect you. And if you’re a hacker working for the DPRK? Your digital trail is getting longer-and your chances of staying hidden are shrinking.

Are OFAC sanctions on North Korean crypto networks still active in 2026?

Yes. The sanctions imposed in 2025 remain fully active as of February 2026. OFAC has not lifted any designations, and new entities continue to be added as investigations uncover more links in the network. U.S. financial institutions and crypto exchanges are legally required to block transactions involving sanctioned addresses, and penalties for violations are severe.

Can I accidentally do business with a North Korean-linked entity?

Yes-and that’s the danger. North Korean actors use front companies, fake identities, and layered transactions to hide their tracks. If your contractor uses a wallet that once interacted with a sanctioned address-even once-you could be flagged. That’s why crypto firms now use blockchain monitoring tools to screen for indirect exposure. Simply avoiding known bad actors isn’t enough anymore.

Which crypto assets are most commonly stolen by North Korean hackers?

USDC and ETH are the top two assets stolen, because they’re widely accepted, liquid, and easy to convert. USDC is preferred for payments to fake IT workers since it’s pegged to the U.S. dollar and avoids price volatility. ETH is used for moving funds between wallets because of its low transaction fees and high network throughput. NFTs have also been used to store value, especially high-value digital art pieces that can be sold later for cash.

How do North Korean hackers avoid detection when laundering crypto?

They use a three-step method: 1) Fragment funds across hundreds of wallets to avoid clustering; 2) Mix them with legitimate transactions using decentralized exchanges; 3) Convert to fiat via OTC brokers in Russia or the UAE who don’t ask questions. They also reuse the same fake identities across multiple jobs to build trust before stealing.

What should a crypto company do if they suspect a remote worker is linked to North Korea?

Immediately freeze all payments and wallet access. Report the activity to FinCEN via a Suspicious Activity Report (SAR). Use blockchain analysis tools to trace where funds went. Don’t confront the worker-this could trigger data destruction or ransomware. Work with cybersecurity firms that specialize in DPRK threat actor detection. The goal is to contain the breach, not escalate it.

Tags:

Categories

Cryptocurrency Guides (85)

Cryptocurrency Exchanges (36)

Legal & Finance (32)

Cryptocurrency News & Guides (7)

Cryptocurrency (7)

Financial Markets (2)

Cybersecurity (2)

Blockchain Healthcare (2)

Archives

February 2026 (10)

January 2026 (24)

December 2025 (26)

November 2025 (29)

October 2025 (32)

September 2025 (7)

August 2025 (6)

July 2025 (2)

June 2025 (6)

May 2025 (12)

April 2025 (3)

March 2025 (3)

© 2026. All rights reserved.