Treasury Sanctions North Korea IT Workers in $2.5M Crypto Scheme

The US Treasury dropped sanctions on six individuals and two entities Thursday. All connected to Tron and Ethereum addresses laundering funds for North Korea’s weapons program. The north korea it workers infiltrated companies worldwide, including blockchain firms, using stolen identities and fabricated work histories.

Not subtle.

The Office of Foreign Assets Control (OFAC) named names Thursday. Amnokgang Technology Development Company—a DPRK outfit managing overseas IT workers. Nguyen Quang Viet, CEO of Vietnam-based Quangvietdnbg International Services Company Limited, accused of moving $2.5 million through crypto for the network. Five other individuals sanctioned across Vietnam, Laos, and Spain.

All US assets frozen. No financial transactions permitted. Civil and criminal penalties if they try.

**How North Korea IT Workers Infiltrate Companies**

The scheme works like this: Fake identities. Fabricated LinkedIn profiles. Doctored references. North korea it workers apply for remote tech positions at legitimate companies. Blockchain firms, Fortune 500s, startups—doesn’t matter. Once hired, they collect paychecks. Some routes money back to Pyongyang. Others do something worse.

They plant malware.

I’ve seen this pattern before in traditional finance. Insider threat plus state backing. Ends badly. These operatives extract proprietary data, source code, customer information. The company thinks it hired a mid-level developer in Southeast Asia. Actually employed an intelligence operative working for the DPRK.

Payroll fraud funds missiles. Data theft funds future attacks. Two revenue streams from one fake employee.

**The Crypto Laundering Infrastructure**

OFAC sanctioned 21 cryptocurrency addresses across Ethereum and Tron. Chainalysis noted Thursday that this multi-chain approach marks an evolution. North Korea isn’t married to one blockchain anymore. They move between networks based on liquidity, monitoring intensity, and compliance gaps.

The $2.5 million traced through Nguyen Quang Viet’s operation represents one node in a larger network. Google’s April 2025 report found the infrastructure spread worldwide. Vietnam, Laos, Spain, likely others not yet identified. Each jurisdiction offers different banking access, crypto exchange relationships, and enforcement risk.

Classic laundering structure: generate dirty money through fraud, move it through complicit facilitators in multiple countries, convert to crypto, shift across chains, cash out where possible.

Blockchain transparency cuts both ways. Transactions are traceable. But if you’re sanctioned, frozen addresses don’t stop you—you just generate new ones.

**What This Means for Crypto Companies**

You might have one on payroll right now.

Chainalysis called north korea it workers “a sophisticated and growing threat.” That’s not hype. Remote work expanded the attack surface. Companies hiring globally often skip thorough vetting. A developer in Hanoi or Barcelona? Sure, if the GitHub looks good.

Red flags to watch:

– Inconsistent timezone behavior (claims to be in Vietnam, active during Pyongyang hours)
– Payment routing through third parties or crypto
– Reluctance to do video calls or always “camera broken”
– Access requests beyond role scope
– Employment gaps that don’t match claimed experience
– References that don’t check out under scrutiny

The fraudulent workers don’t just steal paychecks. They steal code. Customer data. Private keys if they can reach them. One Google report case involved an operative accessing a crypto exchange’s internal systems for months before detection.

When caught, they vanish. New identity, new company, same operator.

**The Multi-Chain Problem**

Traditional sanctions work when money moves through banks. Freeze the account, stop the flow. Crypto adds friction to that model. North Korea’s pivot to multi-chain operations means monitoring 21 addresses across two networks today doesn’t prevent 50 new addresses across five networks tomorrow.

Ethereum and Tron offer different advantages. Ethereum has deeper liquidity and more DeFi infrastructure for laundering. Tron offers lower fees and faster settlement. The north korea it workers and their handlers exploit both.

Chainalysis tracks this. Blockchain forensics improve yearly. But detection lags deployment. By the time OFAC sanctions an address, funds often moved already. The designation creates a historical record and warns future counterparties. Doesn’t recover the money.

I’ve traded through enough cycles to know: technology moves faster than regulation. Always has. North Korea exploits that gap.

**Screening and Monitoring**

Chainalysis issued clear guidance Thursday: screen all counterparties against updated OFAC lists. That includes employees paid in crypto, contractors, vendors, anyone touching company funds or systems.

Most companies check sanctions lists at onboarding. Wrong approach. The north korea it workers get sanctioned after they’re caught, not before they apply. You need behavioral monitoring:

– Payment patterns (routing through unusual jurisdictions)
– Network access patterns (privilege escalation attempts)
– Code commits (inserting backdoors or exfiltration tools)
– Communication patterns (coordination with external parties)

Crypto businesses face acute risk. You’re the target and the tool. The target because you hold digital assets. The tool because your infrastructure can launder funds.

Every exchange, every DeFi protocol, every custody provider should assume they’ve been targeted. Probably multiple times. Question is whether the controls caught it.

**The Revenue Model**

Why does North Korea bother with this? Weapons programs cost money. Sanctions cut off traditional revenue. Cyber operations fill the gap.

IT worker fraud generates steady income. A developer making $80,000 annually, with ten operatives placed, that’s $800,000 per year per cell. Scale that across hundreds of workers globally—the numbers add up. Lower risk than hacking exchanges directly. Harder to attribute than ransomware attacks.

The malware angle adds value. Proprietary code from a crypto exchange? That’s worth millions on dark markets or for planning future attacks. Customer databases? Useful for phishing and social engineering. Private key material? Direct theft opportunity.

Dual revenue stream: salaries today, exploits tomorrow.

Sanctions disrupt one cell. Five others keep operating. OFAC named six individuals Thursday. How many others remain undetected?

**What Comes Next**

This isn’t the last sanctions package. Won’t be the last north korea it workers caught either. The scheme works too well. Remote work isn’t going away. Global talent pools aren’t shrinking. Verification remains hard.

Crypto companies should update screening immediately. Check OFAC’s list. Review current employees and contractors. Implement behavioral monitoring if you haven’t already. Consider requiring in-person verification for roles with system access.

Traditional finance learned this lesson decades ago: insider threat plus state backing requires layered controls. Crypto is learning it now.

The 21 sanctioned addresses are frozen. The operatives behind them will generate new ones. The six named individuals are cut off from the US financial system. Others will take their place in the network.

Chainalysis and blockchain forensics firms improve detection tools. North Korea improves evasion tactics. Same script every time.

For now, the message is clear: if you’re hiring remote tech workers without thorough vetting, you might be funding Pyongyang’s missile program. And you definitely won’t know until Treasury tells you.