OFAC Sanctions on North Korean Crypto Networks: How the U.S. Is Stopping $2.1 Billion in Crypto Theft

The U.S. government has launched its biggest crackdown yet on North Korea’s cryptocurrency theft operations - and it’s working. In 2025 alone, North Korean hackers stole over $2.1 billion in crypto, according to TRM Labs. That’s more than the entire GDP of some small countries. And it’s not random hacking. It’s a state-run machine, fueled by fake IT workers, stolen identities, and a global network of money launderers. The Office of Foreign Assets Control (OFAC) responded with a wave of sanctions targeting the people, companies, and crypto wallets behind it all.

How North Korea Steals Billions Using Fake IT Workers

North Korea doesn’t break into exchanges with malware. Instead, it hires people - or rather, pretends to. Thousands of North Korean workers, posing as freelancers or remote employees, are embedded in U.S. and global tech companies, especially in the crypto and Web3 space. They apply for jobs on platforms like Freelancer, RemoteHub, and WorkSpace.ru. Their resumes? Fake. Their GitHub profiles? Stolen from real developers. Their identities? Entirely manufactured.

These workers aren’t just writing code. They’re scouting. They’re learning how companies secure their wallets, what tools they use, and where the weak spots are. Once they’ve gathered enough intel, they strike - stealing private keys, draining hot wallets, or planting backdoors. Some even demand ransoms in crypto, threatening to leak proprietary data unless they’re paid.

One of the most common aliases used? "Joshua Palmer." Another? "Alex Hong." Both names have appeared across dozens of fraudulent profiles on LinkedIn, Upwork, and even internal company directories. Security researchers track these operations under names like Famous Chollima, Jasper Sleet, and UNC5267. All of them link back to the Workers’ Party of Korea.

The Money Trail: From Crypto to Cash

The stolen crypto doesn’t stay on the blockchain. It gets laundered. And it’s messy. Hackers use a mix of centralized exchanges, self-hosted wallets, and over-the-counter (OTC) brokers to convert digital assets into cash. They fragment funds across hundreds of wallets, making it harder to trace. Then, they move the money through intermediaries in Russia, the UAE, and China.

One key player is Vitaliy Sergeyevich Andreyev, a Russian national sanctioned by OFAC in August 2025. He helped move nearly $600,000 in crypto for North Korean operative Kim Ung Sun - converting it into physical U.S. dollars. That cash? Likely funneled into weapons programs. Another entity, Shenyang Geumpungri Network Technology Co., Ltd, operated out of China and acted as a front for IT worker recruitment and payment processing.

In June 2025, the Department of Justice filed a civil forfeiture complaint seeking over $7.7 million in seized assets - including USDC, ETH, and even NFTs - tied to this network. The wallets involved showed clear patterns: small, frequent transfers to obscure addresses, then sudden large withdrawals to sanctioned exchanges. The FBI and Homeland Security Investigations have since frozen dozens of these wallets and seized the underlying assets.

Who’s Being Sanctioned - And Why

OFAC doesn’t just slap names on a list. They go after the entire pipeline. In 2025, they targeted:

• Kim Ung Sun - A North Korean national directly involved in converting crypto to cash for weapons funding.
• Vitaliy Sergeyevich Andreyev - A Russian facilitator who helped move funds through shell companies.
• Shenyang Geumpungri Network Technology Co., Ltd - A China-based company that recruited and paid North Korean IT workers.
• Korea Sinjin Trading Corporation - A front for smuggling and financial operations.
• Korea Sobaeksu Trading Company - A new addition in October 2025, linked to sanctions evasion.

Each of these entities had direct ties to previously sanctioned individuals like Kim Sang Man and Sim Hyon Sop - senior DPRK operatives who’ve been on OFAC’s list since 2017. This isn’t random. It’s a chain of command. And OFAC is following it.

How This Affects U.S. Companies

If you run a crypto startup or a remote tech team, you’re a target. North Korean operatives don’t need to hack your network. They just need to get hired. And because so many companies rely on freelance platforms and don’t do deep background checks, they’re easy to slip into.

The damage isn’t just financial. It’s reputational. One company in Austin lost $1.2 million in ETH after a fake developer with a forged GitHub profile gained access to their treasury wallet. Another in San Francisco had its internal codebase exfiltrated and held for ransom. The attackers demanded 50 BTC - and threatened to publish proprietary AI training data if they didn’t pay.

The Treasury Department warns: "These schemes are not just theft - they’re espionage with a price tag." And they’re costing American businesses millions.

The Global Response - And What’s Next

This isn’t just a U.S. problem. Japan and South Korea issued joint statements in August 2025, calling for coordinated action. The FBI, DOJ, DHS, and State Department are working with international partners to track IP addresses, freeze bank accounts, and shut down OTC brokers that knowingly handle DPRK funds.

One broker in Dubai was sanctioned in late 2024 for moving $18 million in crypto linked to North Korea. Another in Moscow was raided in September 2025 after investigators traced a series of transactions back to a sanctioned wallet.

Blockchain analysis firms like TRM Labs are now monitoring over 1,200 crypto addresses tied to DPRK-linked activity. They’re looking for behavioral patterns - like repeated use of the same wallet prefixes, or transfers that happen right after payroll cycles in U.S. companies. It’s not perfect, but it’s getting better.

What Businesses Should Do Now

If you’re hiring remote developers - especially from freelance platforms - here’s what you need to do:

1. Verify identities - Don’t just check LinkedIn. Cross-reference GitHub commits, past employment, and professional references. Look for inconsistencies.
2. Limit wallet access - Never give freelance workers access to production wallets. Use multi-sig and role-based permissions.
3. Monitor for red flags - Workers who ask for payment in stablecoins, refuse video interviews, or have no verifiable past work? Walk away.
4. Screen against OFAC lists - Use free tools like OFAC’s Sanctions List Search. Check names, addresses, and even email domains.
5. Train your team - Phishing and fake job offers are the #1 entry point. Make sure your HR and engineering teams know the signs.

Why This Matters Beyond Crypto

This isn’t just about stolen Bitcoin. It’s about survival. The money stolen by these networks funds North Korea’s nuclear weapons, ballistic missiles, and chemical weapons programs. Every dollar laundered through a fake IT worker could be paying for a missile that threatens global security.

The U.S. government is treating this like a national security threat - because it is. And while sanctions won’t stop every hack, they’re making it harder. They’re freezing assets. They’re cutting off access to the global financial system. They’re forcing North Korea to work harder for less.

The goal isn’t to eliminate the threat overnight. It’s to make it too expensive, too risky, and too visible to keep running.

What’s Coming Next

More sanctions are coming. In October 2025, Treasury officials hinted at new designations targeting additional front companies in Laos and Vietnam. They’re also looking at AI-generated fake profiles - a new tactic where North Korean operatives use generative AI to create realistic-looking resumes and video interviews.

Meanwhile, blockchain analytics firms are building AI models to predict which wallets are likely DPRK-linked, based on transaction timing, wallet age, and fund movement patterns. The next wave of enforcement won’t just rely on names - it’ll rely on behavior.

The message is clear: if you’re helping North Korea steal crypto, you’re helping them build weapons. And the U.S. is coming for you - no matter where you are.