TL;DR
- OFAC designated six individuals and two entities for facilitating North Korean IT worker schemes that generated nearly $800 million in 2024 to fund the DPRK’s weapons programs.
- A key facilitator converted approximately $2.5 million into cryptocurrency for North Korean IT workers between mid-2023 and mid-2025.
- The networks operated across multiple countries, including Vietnam, Laos, and Spain, using cryptocurrency to move illicit earnings.
- This action builds on the U.S. Treasury Department’s ongoing efforts to disrupt DPRK revenue generation schemes that exploit legitimate businesses and leverage digital assets for sanctions evasion.
On March 12, 2026, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned six individuals and two entities for their roles in North Korean government-orchestrated IT worker fraud schemes. These schemes systematically targeted U.S. businesses and generated nearly $800 million in 2024 to fund the Democratic People’s Republic of Korea (DPRK)’s weapons of mass destruction (WMD) and ballistic missiles programs.
How DPRK IT worker schemes operate
North Korean IT worker schemes represent a sophisticated and growing threat to U.S. businesses. DPRK-facilitated IT teams use fraudulent documentation, stolen identities, and fabricated personas to conceal their true identities and gain employment with legitimate companies worldwide, including in the United States. The DPRK government reportedly appropriates the majority of wages earned by these overseas workers, funneling hundreds of millions of dollars to support the regime’s weapons programs in violation of U.S. and United Nations sanctions.
Beyond generating revenue through fraudulent employment, these workers have also been known to covertly introduce malware into company networks to extract proprietary and sensitive information. In some cases, they have weaponized this data to extort businesses for substantial payments.
Cryptocurrency remains a key enabler
Cryptocurrency plays a central role in moving funds generated by these IT worker schemes back to North Korea while evading international sanctions. Today’s designation includes 21 cryptocurrency addresses across multiple blockchains, highlighting the multi-chain approach DPRK operatives use to move and obscure funds.
Nguyen Quang Viet, CEO of Vietnam-based Quangvietdnbg International Services Company Limited, facilitated currency conversion services for North Koreans. According to OFAC, between mid-2023 and mid-2025, Nguyen converted approximately $2.5 million into cryptocurrency for the regime, including illicit earnings from IT workers associated with Amnokgang Technology Development Company (Amnokgang), a DPRK IT company managing overseas IT worker delegations.
Amnokgang, established in 1982, had seven cryptocurrency addresses designated today across the Ethereum and Tron networks.
Ethereum:
- 0xcB74874f1e06Fcf80A306e06e5379A44B488bA2D
- 0x0330070FD38Ec3bB94F58FA55D40368271E9e54A
- 0x9Be599d7867f5E1a2D7Ec6dB9710dF2b98A15573
Tron:
- TNrX2FwrHKoo4XACGkmSzqeK4pdnKYn6Z7
- TEEYCuGDyeNkuDj4u6GQRXxXo3Nh29r2vP
- TZB4NrX7k9ZsV6PRc1GigAztLL8WHpLvwP
- TDe2UNAvuUnTbbDo7518eMe3TXN5qJW8Ft
Yun Song Guk, a DPRK national who led a group of North Korean IT workers operating out of Boten, Laos since at least 2023, had two Ethereum addresses designated:
- 0xb637f84b66876ebf609c2a4208905f9ddac9d075
- 0x95584C303FCd48AF5c6B9873015f2AD0ca84EaE3
Hoang Minh Quang, who coordinated financial transactions totaling more than $70,000 with Yun relating to IT services, had one Bitcoin address designated:
- bc1qyy5pt5cx3zth8xlj92lq5y87dh8xv3nwgs4ncq
Additionally, OFAC updated the entry for previously designated Sim Hyon Sop, a China-based representative for OFAC SDN Korea Kwangson Banking Corp (KKBC), adding 11 new cryptocurrency addresses across Ethereum and Tron networks:
Ethereum:
- 0xd04E33461FEA8302c5E1e13895b60cEe8AEfda7F
- 0x76EA76CA4Eb727f18956aB93445a94c5280412B9
- 0xFb3eFf152ea55D1BfA04Dbdd509A80fD7b72cdEB
- 0xFda1Ec4A6178d4916b001a065422D31EBE5F62FF
- 0x747AFB5c7A7fc34B547cD0FDEbf9b91759C5a52b
Tron:
- TPDLpXxPcaSsupEZ3yrVksmNkYP5SLeKxu
- TGXE9dGWawjfd3xqFSho1h1bRbRv9wUGrF
- TNTFhgFoKH4srBMiWbfrVFqP2AThSmdwf1
- TXhf9nU9bjo1j9z5qEesHdr6gtdndfnA4T
- TK17wfSPp32RWrnzZPrGpv7TxdNFvvvE2s
- TYeQD2VddTZ9NkFkAnT9DD8cUGetGUQZB2
Pattern of DPRK cryptocurrency exploitation
Today’s action is part of the Treasury’s sustained effort to counter North Korea’s abuse of cryptocurrency and digital assets for sanctions evasion. The DPRK has increasingly turned to cryptocurrency-related schemes to generate revenue, including IT worker fraud, state-sponsored cyber heists by groups like the Lazarus Group, and ransomware attacks demanding cryptocurrency payments. Chainalysis research has documented the DPRK’s growing sophistication in cryptocurrency theft and laundering, with North Korean hackers responsible for some of the largest cryptocurrency heists on record.
The designation of addresses across multiple blockchain networks reflects the DPRK’s increasingly multi-chain approach to moving funds. Cryptocurrency businesses should screen all counterparties against updated OFAC sanctions lists, be alert to patterns consistent with IT worker fraud, and monitor for unusual payment patterns. Enhanced due diligence for cryptocurrency services operating in Southeast Asia is particularly important given the networks identified in today’s action. For additional red flags, businesses should review the FBI’s January 2025 Public Service Announcement and the May 2022 IT Worker Advisory issued by the Departments of State, Treasury, and Justice.
We have labeled the designated cryptocurrency addresses in our product suite and have updated our screening solutions to include all designated individuals and entities from today’s action. Sending and receiving exposure to these addresses will trigger sanctions alerts for KYT customers, per their configured alert rules.
If you’d like to learn more about how Chainalysis products can help protect your organization from sanctions risk and detect DPRK-related activity, request a demo.
The sanctioned entity and individuals from today’s designation heavily relied upon a variety of mainstream cryptocurrency services to facilitate their schemes, including compliant exchanges, hosted wallets, DeFi services, and cross-chain bridges. As shown in the Chainalysis Reactor graph below, addresses belonging to Amnokgang, which manages overseas IT worker delegations and other illicit procurement activities, additionally leveraged Southeast Asian movement services and received downstream funds from a suspected DPRK hack.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
