The U.S. Treasury Department has taken action against a key part of North Korea’s global financial architecture, imposing sanctions on eight individuals and two entities. This network is accused of laundering millions of dollars generated through illicit activities, including state-sponsored cybercrime and sophisticated fraud involving North Korean IT workers operating abroad under false pretenses. According to Under Secretary John K. Hurley, these schemes fund the regime’s nuclear weapons program, making the facilitators a direct threat to U.S. and global security, and the Treasury vowed to continue pursuing those enabling the DPRK’s illicit revenue streams.
The sanctions list includes several key players in this financial architecture. Among them are Jang Kuk Chol and Ho Jong Son, who allegedly managed over $5.3 million in cryptocurrency for the previously sanctioned First Credit Bank, which is linked to North Korea’s missile programs. Also targeted are the Korea Mangyongdae Computer Technology Company (KMCTC) and its current president, U Yong Su, for dispatching IT workers globally and using Chinese nationals as banking proxies to conceal the origins of their fraudulently obtained income. Furthermore, Ryujong Credit Bank was sanctioned for providing financial assistance in sanctions evasion, alongside five representatives of North Korean financial institutions in Russia and China who facilitated millions of dollars in transactions for sanctioned banks.
The Treasury detailed the extensive nature of the regime’s illicit fundraising, characterizing North Korean cyber actors as orchestrating financial theft and espionage on a scale “unmatched” by any other country. Pyongyang-affiliated cybercriminals have reportedly stolen over $3 billion, mostly in digital assets, using sophisticated malware and social engineering over the past three years. A portion of the $5.3 million noted above is specifically linked to a North Korean ransomware actor known to have targeted U.S. victims.
Further compounding the fraud, the regime leverages a massive IT army positioned across the world, instructing these workers to deliberately obfuscate their identity and nationality to gain employment at various companies. A huge portion of their income is then funneled directly back to the DPRK. In some cases, these DPRK IT workers engage in business partnerships with non-North Korean freelance programmers, collaborating on projects commissioned to the foreign workers and then splitting the revenue to further conceal their activity and earnings.
Blockchain intelligence firms have corroborated these findings, noting that cryptocurrency wallet addresses linked to the sanctioned First Credit Bank show “consistent inbound flows resembling salary payments,” which likely represent income from IT workers employed abroad under fake identities. These wallets, which are controlled by the bank, have reportedly received over $12.7 million between June 2023 and May 2025, demonstrating the sustained nature of the scheme. The sanctioned individuals and entities, in effect, form a vital component of Pyongyang’s sanctions-evasion architecture, allowing the regime to move vast sums through both traditional banking and cryptocurrency channels to fund its illicit weapons and cyber operations.
Reference:
