OFAC Sanctions on North Korean Crypto Networks: How the U.S. Is Cutting Off Weapon Funding Through Crypto

North Korea has turned cryptocurrency into a weapons factory. Not with mines or factories, but with code, fake identities, and remote workers hiding in plain sight inside U.S. tech companies. By mid-2025, U.S. officials confirmed that North Korean hackers had stolen over $2.1 billion in crypto in just six months - money flowing straight into missile programs and nuclear tests. The Office of Foreign Assets Control (OFAC) responded with the most aggressive sanctions campaign in its history, targeting not just wallets, but entire networks of people, companies, and front operations spanning Russia, China, and the UAE.

How North Korea Uses Remote IT Workers to Steal Crypto

It doesn’t start with a hack. It starts with a job application.

North Korean operatives create fake profiles - often using stolen photos and documents - and apply for remote IT jobs at crypto startups, Web3 firms, and blockchain developers. They use platforms like GitHub, Freelancer, RemoteHub, and WorkSpace.ru to build credibility. Once hired, they’re given access to internal systems, codebases, and sometimes even payroll and wallet keys. They work quietly. They meet deadlines. They even help fix bugs.

Then, over weeks or months, they quietly siphon off funds. They move crypto to wallets they control, often using stablecoins like USDC to avoid price swings. Some use NFTs as digital cash - buying a $500,000 NFT, then selling it to a shell company. Others route money through multiple exchanges, breaking large transfers into dozens of tiny ones to evade detection.

These aren’t random criminals. They’re part of state-run units. Security firms track them under names like Famous Chollima, Jasper Sleet, and UNC5267. These groups are tied directly to the Workers’ Party of Korea. Their goal isn’t just theft - it’s survival. Every dollar stolen buys fuel for missiles, rare earth metals for warheads, and salaries for scientists.

The $7.7 Million Heist: Fake Identities, Real Money

In June 2025, the U.S. Department of Justice filed a civil forfeiture complaint for over $7.7 million in digital assets linked to North Korean IT workers embedded in U.S. tech firms. The names? Joshua Palmer and Alex Hong. Both were fake. Both collected payments in stablecoins from real companies in San Francisco, Austin, and New York. One company even gave “Joshua” a performance bonus.

The money didn’t stay in crypto. It was converted to cash through over-the-counter (OTC) brokers - some of which OFAC later sanctioned. From there, it was smuggled across borders. One key player, Kim Ung Sun, personally moved nearly $600,000 in crypto to U.S. dollars using cash couriers in China and Russia. He didn’t need a bank. He needed a suitcase.

The laundering chain was complex: crypto → self-hosted wallets → centralized exchanges → OTC brokers → cash → Russian or UAE shell companies → North Korea. Investigators found reused IP addresses, identical document templates, and even the same fake LinkedIn profiles appearing across five different operations.

OFAC’s Sanctions: Targeting the Network, Not Just Wallets

Before 2025, OFAC mostly froze crypto addresses. That didn’t stop North Korea. So they changed tactics.

On August 27, 2025, OFAC sanctioned Russian national Vitaliy Sergeyevich Andreyev and North Korean individual Kim Ung Sun - not because they owned wallets, but because they facilitated the theft. They also targeted two companies: Shenyang Geumpungri Network Technology Co., Ltd and Korea Sinjin Trading Corporation. These weren’t hacker groups. They were HR agencies. They recruited IT workers, handled payroll, and laundered payments.

This was a game-changer. Now, if you hire someone through one of these firms - even unknowingly - you could be violating U.S. law. The sanctions don’t just block transactions. They block relationships. Any business that pays an invoice to a sanctioned entity, even indirectly, risks penalties.

By October 2025, OFAC had added seven more entities, including Korea Sobaeksu Trading Company and individuals like Kim Se Un and Jo Kyong Hun. These were the middlemen - the ones who connected North Korean workers to Western employers, handled contracts, and moved money through fake invoices and shell corporations.

Why Crypto Is North Korea’s Weapon of Choice

Sanctions have choked off North Korea’s access to global banking. Traditional wire transfers? Blocked. International trade? Crippled. But crypto? It’s borderless, anonymous, and fast.

Unlike cash smuggling, which requires physical movement and risk, crypto can be sent in seconds from a laptop in Pyongyang to a wallet in Dubai. And because most crypto companies operate remotely, they don’t verify identities the way banks do. A fake GitHub profile with 100 commits looks more legitimate than a forged passport.

The result? North Korea has generated over $1 million in crypto revenue every year since 2021 - and that’s just what’s been tracked. The real number is likely much higher. The U.S. Treasury estimates that nearly 80% of the stolen funds directly fund ballistic missile tests and nuclear warhead development.

Who’s Really at Risk?

It’s not just the U.S. government. Small crypto startups are the most vulnerable.

A founder hiring a remote developer from a freelance site might not know they’re paying a North Korean operative. They see a portfolio. They see good reviews. They see a time zone that works. They don’t see the fake ID, the reused photo, the same profile on five different platforms.

Even big companies aren’t safe. In 2025, a well-known Web3 firm discovered that one of their top contractors had been transferring company wallet keys to a North Korean-controlled address over six months. The company didn’t notice until the wallet drained itself - and then traced the funds to a wallet previously flagged by TRM Labs.

The risk isn’t just financial. It’s operational. These workers steal source code, API keys, and internal documentation. Some have planted malware that waits for months before activating. Others use their access to create backdoors for future ransomware attacks.

How to Protect Your Business

If you run a crypto or tech company and hire remotely, here’s what you need to do:

• Verify identities beyond LinkedIn and GitHub. Ask for video interviews. Request real-time coding tests. Check if the same profile appears on multiple freelance sites under different names.
• Use blockchain screening tools. Services like TRM Labs, Chainalysis, and Elliptic can flag if a worker’s wallet has ever interacted with a sanctioned address. Run checks before payment.
• Limit wallet access. Don’t give remote contractors access to hot wallets or admin keys. Use multi-sig and time-locked transfers.
• Monitor for red flags. Workers who insist on being paid in USDC or DAI. Workers who refuse video calls. Workers who use free email domains like @mail.ru or @yandex.com. Workers who’ve been with you for over a year but never met anyone in person.
• Train your team. Many breaches happen because an employee approves a payment without checking the recipient. Create a simple checklist: Is the vendor on the OFAC list? Has this person been flagged by blockchain analysts?

The Bigger Picture: A Global Problem

This isn’t just a U.S. issue. Japan, South Korea, and the EU have all issued joint statements condemning North Korea’s crypto thefts. The FBI and Homeland Security Investigations work closely with Interpol and Europol. But enforcement is uneven.

Russia and the UAE are key hubs for laundering. Many of the shell companies are registered there. Many of the OTC brokers operate there. And many of the IP addresses used to launch attacks come from those regions.

Until those countries crack down - or until crypto platforms start enforcing real identity checks - North Korea will keep stealing. The sanctions are a stopgap. They’ve frozen wallets. They’ve shut down companies. But they haven’t stopped the next wave.

The real solution? Making it harder to turn stolen crypto into cash. That means stricter KYC on centralized exchanges. Better tracking of OTC brokers. And global cooperation - something the U.S. is pushing for, but not everyone is willing to join.

What Comes Next?

OFAC has signaled more designations are coming. By early 2026, they plan to target the North Korean state-owned cryptocurrency mining operations hidden inside Chinese data centers. They’re also working on a new tool that flags fake freelance profiles using AI patterns - things like identical typing rhythms, reused image metadata, and matching grammatical errors across dozens of profiles.

Meanwhile, North Korea is adapting. They’re now using decentralized exchanges (DEXs) more heavily. They’re experimenting with privacy coins like Monero. And they’re recruiting more workers from other sanctioned countries - like Iran and Syria - to act as intermediaries.

The cat-and-mouse game is far from over. But one thing is clear: crypto isn’t just money anymore. It’s ammunition. And the people who built it didn’t mean for it to be used this way.