These sanctions target the financial networks that help North Korea fund its nuclear weapons program through stolen digital assets.
The Treasury’s Office of Foreign Assets Control (OFAC) announced that North Korean hackers have stolen over $3 billion in the past three years, mostly in cryptocurrency. This money directly supports the country’s weapons development programs, making these cyber operations a serious threat to global security.
The Scale of North Korean Crypto Crime
North Korea has become the world’s most aggressive cryptocurrency thief. According to blockchain firm Elliptic, hackers linked to the country stole more than $2 billion in digital assets in 2025 alone. This brings the total amount stolen to over $6 billion since these operations began.
The biggest theft this year happened in February when hackers stole $1.46 billion from the cryptocurrency exchange Bybit. Other targets in 2025 included LND.fi, WOO X, and Seedify platforms.
Source: @USTreasury
John K. Hurley, Under Secretary of the Treasury for Terrorism and Financial Intelligence, explained the seriousness of these crimes: “North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program. By generating revenue for Pyongyang’s weapons development, these actors directly threaten U.S. and global security.”
Who Got Sanctioned
The Treasury targeted two North Korean bankers who played key roles in managing stolen cryptocurrency. Jang Kuk Chol and Ho Jong Son managed at least $5.3 million in cryptocurrency on behalf of First Credit Bank, which was already under U.S. sanctions. Some of this money came from ransomware attacks that targeted American victims.
The sanctions also hit five other individuals working as financial representatives in China and Russia. These people helped move millions of dollars for North Korean banks:
Ho Yong Chol facilitated over $85 million in transactions for North Korean government groups
Han Hong Gil coordinated $630,000 in transfers for sanctioned banks
Jong Sung Hyok served as the chief representative of North Korea’s Foreign Trade Bank in Vladivostok, Russia
Choe Chun Pom managed $200,000 in transactions and coordinated visits by Russian officials to North Korea
Ri Jin Hyok laundered more than $350,000 through front companies
U Yong Su, president of Korea Mangyongdae Computer Technology Company, was also sanctioned for running IT worker operations in China.
The IT Worker Scheme
Beyond hacking, North Korea runs a sophisticated fraud scheme using IT workers. These workers hide their true identities and nationality to get remote jobs at legitimate companies around the world. They use fake documents, stolen identities, and false personas to trick employers.
The scheme generates hundreds of millions of dollars annually for North Korea’s weapons programs. These workers sometimes even hire other freelance programmers to do their work, then split the money to hide where it’s really going.
Korea Mangyongdae Computer Technology Company operates IT worker groups in two Chinese cities: Shenyang and Dandong. The company uses Chinese citizens as banking proxies to hide where the money comes from.
Two Companies Face Sanctions
OFAC sanctioned Korea Mangyongdae Computer Technology Company for operating North Korea’s IT worker network in China. The company’s workers use Chinese nationals to help move and hide their earnings.
Ryujong Credit Bank, based in North Korea, also received sanctions. This financial institution helps move money between China and North Korea, handling remittances, money laundering, and financial transactions for North Korean workers overseas.
The Treasury also updated First Credit Bank’s sanctions designation to include 54 cryptocurrency wallet addresses used for moving stolen funds.
International Cooperation and Evidence
The sanctions came shortly after an international report exposed North Korea’s cyber operations. On October 22, 2025, the Multilateral Sanctions Monitoring Team (MSMT) published a 138-page report detailing how North Korea violates United Nations sanctions through cyber theft and IT worker fraud.
The MSMT includes 11 countries: the United States, Australia, Canada, France, Germany, Italy, Japan, the Netherlands, New Zealand, South Korea, and the United Kingdom. This group formed in October 2024 after Russia vetoed the continuation of the UN Security Council’s expert panel on North Korean sanctions.
The report documented connections between UN-designated North Korean entities and malicious cyber activities, including cryptocurrency theft, fraudulent IT work, and cyber espionage.
What These Sanctions Mean
When OFAC designates individuals or entities, all their property in the United States or controlled by U.S. persons gets blocked. American individuals and companies cannot do business with these sanctioned parties.
Financial institutions that work with these designated people or entities risk facing sanctions themselves. The Treasury can also impose civil or criminal penalties on anyone who violates these restrictions.
However, the Treasury noted that removal from the sanctions list is possible if designated parties change their behavior. The agency maintains procedures for people and companies to petition for removal.
The Bigger Picture
North Korea’s cyber operations have become more sophisticated over time. Hackers use advanced malware, social engineering tactics, and phishing campaigns to breach cryptocurrency companies and exchanges. They increasingly target not just developers but also marketing staff, traders, and other employees at crypto companies.
The stolen cryptocurrency gets laundered through mixing services, shell companies, and over-the-counter brokers before being converted into currency that North Korea can use. The regime relies on a network of representatives, financial institutions, and shell companies in multiple countries to move this money.
Despite these sophisticated evasion techniques, blockchain technology’s transparency means every stolen asset leaves a trace. This helps investigators track illicit funds and enables regulated financial service providers to identify and block deposits from sanctioned addresses.
Following the Money Trail
North Korea uses these illicit funds to finance its weapons of mass destruction and ballistic missile programs, violating multiple UN Security Council resolutions. The country has few legitimate trading partners due to international sanctions, making these cyber operations and IT worker schemes critical sources of revenue for the regime.
The Treasury Department’s action demonstrates the U.S. government’s commitment to cutting off North Korea’s access to the international financial system. By targeting not just hackers but also the bankers, IT companies, and financial representatives who help move the money, these sanctions aim to disrupt the entire support network.
Cyber Thieves, Real Consequences
These new sanctions show that the United States is taking North Korea’s cryptocurrency crimes seriously. By targeting eight individuals and two companies across North Korea, China, and Russia, the Treasury is sending a clear message: anyone who helps North Korea launder stolen cryptocurrency and evade sanctions will face consequences. As North Korea continues to steal billions in digital assets to fund its nuclear program, expect more sanctions and international cooperation to combat these cyber threats in the months ahead.