New sanctions from the U.S. Treasury Department have brought attention to a global scheme linked to North Korean overseas IT workers, after officials identified hundreds of millions of illicit earnings flowing through digital asset networks. The network reportedly generated close to $800 million in 2024, primarily by funneling salaries earned under false identities back to the government in Pyongyang.
OFAC Targets Key Figures And Entities
The Treasury’s Office of Foreign Assets Control (OFAC) issued sanctions on March 12, 2026, against six individuals and two companies accused of driving the North Korea-linked IT worker initiative. These IT professionals, stationed in countries such as Vietnam, Laos, and Spain, allegedly used stolen credentials to secure jobs, mainly with technology firms and other legitimate businesses. Wages were redirected back to North Korea, with much of the revenue believed by U.S. officials to support ballistic missile and weapons development, in violation of U.S. and United Nations restrictions.
OFAC is a branch of the U.S. Treasury responsible for enforcing economic and trade sanctions. The latest sanctions list includes specific individuals and companies suspected of coordinating payments and moving funds for North Korean interests using cryptocurrency platforms.
Expanding Crypto Infrastructure Revealed
The sanctions also outlined an expansive digital infrastructure. Twenty-one crypto addresses, connected to Ethereum, Tron, and Bitcoin networks, were designated as part of the suspected laundering process. This multi-chain approach was reportedly used to blur financial trails and aid international movement of proceeds.
Vietnam-based Nguyen Quang Viet was singled out for converting approximately $2.5 million of IT worker-related earnings into cryptocurrency between 2023 and 2025. Investigators linked some of the funds to payment channels handled by Amnokgang Technology Development Company, an entity believed to manage North Korea’s external IT labor and procurement operations.
Another individual named by the Treasury, Yun Song Guk, was connected to an IT worker group in Boten, Laos. He reportedly controlled Ethereum addresses used for payments related to technology contracts and IT services. Authorities also identified a Bitcoin wallet managed by Hoang Minh Quang, through which more than $70,000 in transactions, believed to be North Korean worker earnings, were managed in cooperation with Yun.
Sim Hyon Sop, acting as a representative for Korea Kwangson Banking Corp in China, was named with eleven new crypto addresses attached to his financial network. Treasury reports indicate the addresses played a role in the broader movement of funds tied to sanctioned North Korean operations.
Blockchain analytics firm Chainalysis described the operation as an international undertaking, employing a mix of exchanges, decentralized finance platforms, custodial wallets, and blockchain bridges. Their systems have now begun to flag activity associated with the blacklisted addresses.
U.S. authorities have repeatedly urged digital asset exchanges and service providers to tighten monitoring systems and apply more rigorous screening to root out suspicious flows linked to overseas IT work, emphasizing the challenges posed by evolving cross-border money movements in the crypto sector.
