OFAC Sanctions on North Korean Crypto Networks: How the U.S. Is Targeting $2.1 Billion in Stolen Cryptocurrency

North Korea isn’t just building missiles - it’s building crypto heists. In 2025 alone, U.S. officials say North Korean hackers stole over $2.1 billion in cryptocurrency, using fake IT workers, stolen identities, and shell companies to launder cash through global exchanges. The Office of Foreign Assets Control (OFAC) responded with its most aggressive sanctions campaign yet, targeting not just wallets and addresses, but the real people and companies hiding behind them.

How North Korea Turns IT Workers Into Crypto Thieves

You might think of North Korea as isolated, behind firewalls and iron curtains. But its cyber units have a quiet, dangerous presence inside U.S. tech companies - especially crypto startups and Web3 firms that hire remotely. These aren’t rogue hackers breaking into servers. They’re people with fake resumes, working from home offices in China, Russia, or Laos, pretending to be developers, project managers, or data analysts.

Their names? Joshua Palmer. Alex Hong. They don’t exist. These identities are recycled across dozens of operations, pulled from stolen documents and reused on freelance platforms like Freelancer, GitHub, and RemoteHub. Once hired, they’re given access to internal systems, client data, and sometimes even wallet keys. Then, they wait. Or they steal. Or they demand ransom.

Security firms track these groups under names like Famous Chollima, UNC5267, and Wagemole. They’re not freelance criminals. They’re state-sponsored. Directly linked to the Workers’ Party of Korea. Their job isn’t just to hack - it’s to gather intel. A developer who writes clean code today might be mapping your company’s security gaps for a future attack. That’s the dual-purpose design: legitimate work as camouflage.

The Money Trail: From Stablecoins to Cash

The stolen crypto doesn’t stay on-chain. It moves fast. Workers collect payments in USDC, ETH, or other stablecoins - easy to transfer, hard to trace. They funnel it into self-hosted wallets, then split it across dozens of addresses to avoid detection. From there, it flows through centralized exchanges, often in jurisdictions with weak oversight.

The final step? Turning digital money into real cash. That’s where the OTC brokers come in. OFAC sanctioned one such broker in late 2024. These brokers, often based in Russia or the UAE, take the crypto and hand over U.S. dollars in person. No paper trail. No bank records. Just cash.

One North Korean operative, Kim Ung Sun, was directly tied to over $600,000 in cash conversions. The Department of Justice filed a civil forfeiture complaint in June 2025, targeting $7.7 million in digital assets - including NFTs - linked to this exact laundering chain. Wallets connected to sanctioned individuals like Kim Sang Man and Sim Hyon Sop were traced back to these payments, showing a clear line from stolen crypto to North Korean weapons programs.

Who Else Is Involved? The Global Network

This isn’t just a North Korean operation. It’s a global network.

On August 27, 2025, OFAC added Russian national Vitaliy Sergeyevich Andreyev to its sanctions list. He wasn’t a hacker. He was a facilitator - helping move money, set up shell companies, and provide infrastructure. His ties to two Chinese entities - Shenyang Geumpungri Network Technology Co., Ltd and Korea Sinjin Trading Corporation - revealed how deeply embedded these schemes are in cross-border commerce.

Front companies operate out of China, Laos, and Russia. One, Chinyong Information Technology Cooperation Company, was sanctioned back in May 2023. But it’s just one of many. In October 2025, OFAC expanded its list again, adding Korea Sobaeksu Trading Company and three individuals - Kim Se Un, Jo Kyong Hun, and Myong Chol Min - for helping evade sanctions and funneling money to Pyongyang.

The infrastructure is international. IP addresses from Moscow. Bank accounts in Dubai. Fake IDs from Eastern Europe. The North Korean regime doesn’t need to be everywhere - it just needs to find the weak links. And it has.

What’s Being Done? The U.S. Government’s Response

This isn’t just OFAC acting alone. It’s a whole-of-government effort.

The Department of Justice seized digital assets. The FBI tracked wallet activity. Homeland Security Investigations followed the cash. The State Department coordinated with Japan and South Korea, issuing joint statements on the threat. TRM Labs, a blockchain analytics firm, has been mapping transaction patterns for months, flagging addresses that match known DPRK behavior.

The strategy is simple: cut off the money. Sanction the wallets. Freeze the accounts. Name the people. Make it risky for anyone to do business with them.

Since 2021, these schemes have generated over $1 million in revenue for North Korea’s weapons programs, according to Treasury estimates. But the scale exploded in 2025. The $2.1 billion stolen in the first half of the year alone is more than the total from the previous five years combined. That’s why the response has gotten so much tougher.

Why This Matters for Crypto Companies

If you run a crypto startup, you’re a target. Not because you’re rich - because you’re vulnerable.

Remote hiring is common. Background checks are often minimal. You don’t ask for a passport from someone in Pyongyang - you check their GitHub profile. But those profiles? They’re fakes. One worker used the same identity across six different companies over 18 months. No one caught it.

The risk isn’t just theft. It’s ransomware. It’s data leaks. It’s your intellectual property ending up in a North Korean lab. And if you’re found to have done business with a sanctioned entity - even unknowingly - you could face penalties too.

That’s why screening isn’t optional anymore. Companies need to check every contractor, every freelancer, every remote hire against the OFAC list. Not just names - wallet addresses, IP ranges, even email domains. The North Koreans are good. But they’re not perfect. They reuse the same tools. The same wallets. The same fake identities. If you know what to look for, you can spot them.

What Comes Next?

More sanctions are coming. Investigators are still digging into Russian and Chinese facilitators. TRM Labs and other firms are building AI models to detect behavioral patterns - like how funds move from exchange to exchange, or how addresses split and recombine. The goal? Predict the next move before it happens.

North Korea’s crypto heists aren’t slowing down. They’re getting smarter. But the U.S. is getting faster. The sanctions aren’t just about punishment. They’re about deterrence. Every time a wallet is frozen, every time a broker is named, every time a fake ID is exposed, it becomes harder for the regime to operate.

The message is clear: if you help North Korea steal crypto, you’re not just breaking rules. You’re funding missiles. And the U.S. will find you.