The US Treasury Department has imposed sanctions on six individuals and two companies connected to a North Korea-linked money laundering network that reportedly generated about $800 million in revenue in 2024 alone. The network, which was identified as playing a major role in financing North Korea’s weapons programs, was singled out for its sophisticated global operations and use of fraudulent identities.
Global Structure Built on Identity Fraud
Unlike previous cases centered on cyber theft, this nefarious operation involved thousands of North Korean IT workers infiltrating legitimate companies around the world. With forged documents and identities, they remotely secured lucrative contracts with firms—including those based in the US technology sector—earning substantial salaries.
These illicit gains were then converted into cryptocurrency to evade international sanctions before being funneled back to North Korea. In addition to the money flow, investigations found that some workers embedded malicious software into employer systems, aiming to access sensitive data or create vulnerabilities for potential future extortion. Targeting this network, the US Treasury froze 21 digital wallets operating on Ethereum, Tron, and Bitcoin blockchains.
Names and Functions on the Sanctions List
The sanctioned individuals and companies are based in Vietnam, Laos, Spain, and North Korea. Amnokgang Technology Development Company managed delegations of North Korean IT workers in foreign countries and supplied military technology, according to the Treasury. Quangvietdnbg International Services Co., based in Vietnam, was found to have converted approximately $2.5 million into cryptocurrency for North Korea between mid-2023 and mid-2025 through its director, Nguyen Quang Viet.
Within the network, Yun Song Guk organized freelance workers in Laos’s Boten Special Economic Zone. Do Phi Khanh and Hoang Van Nguyen were responsible for opening bank accounts and sourcing foreign currency for the network’s fiat money operations. In Spain, York Louis Celestino Herrera facilitated fake IT service contracts, while Hoang Minh Quang oversaw the financial transactions that sustained the network.
Cryptocurrency Infrastructure Facilitates Laundering
A central pillar of the operation was the use of cryptocurrency to directly transfer revenue to North Korea. Taking payment in US dollars and other major foreign currencies, North Korean IT workers would quickly convert their earnings into various crypto assets, successfully circumventing US sanctions and sending the value back to Pyongyang.
The Tron blockchain’s frequent use for USDT transactions underscored its role as a favorite in North Korean laundering operations. While the frozen wallets represent only the end points that could be traced, data from analytics firm Chainalysis show these types of networks often employ complex, multi-layered wallet structures to obscure the movement of crypto assets.
The Treasury described these sanctions as a component of wider efforts to prevent North Korea from abusing digital assets. The recent surge in operations follows incidents such as the Lazarus Group’s 2025 hack on the Bybit exchange—regarded as the world’s largest crypto theft to date.
Officials highlighted that the scope of the sanctions extends beyond wallet addresses, targeting the human and financial backbone of the networks as well. Cracking down on recruiters, account facilitators, and finance managers is expected to make rebuilding such networks significantly more expensive and difficult.
Still, questions remain over whether this strategy will deliver permanent results, given that prior sanctions have not always achieved their full intended impact.
