The US has imposed sanctions against accomplices of hackers from the DPRK. Who is affected

The US Treasury Department has announced new sanctions against a number of North Korean bankers and financial institutions. Eight individuals and two companies are subject to restrictions, with all their assets in the US or under US jurisdiction frozen. According to the authorities, these individuals and entities helped North Korea raise money through cyberattacks, IT fraud, and other illegal schemes. The funds earned were allegedly used to finance the country’s nuclear and missile programs. GetBlock AML Research publishes an overview of the new restrictive measures.

What led to the sanctions

According to the US Department of the Treasury, the North Korean government has been using various illegal methods to obtain money for many years. These methods include cyberattacks, online espionage, and theft from financial platforms. Over the past three years, North Korean hackers have stolen more than $3 billion, mainly in the form of cryptocurrencies.

In addition, thousands of North Korean IT specialists work abroad under false names. They create accounts on freelance platforms, use fake documents, and earn millions of dollars a year by fulfilling programming orders. Often, this money is transferred to the state.

To cash out and transfer illegal income, North Korea uses a network of intermediaries — bankers and companies operating in various countries, including China and Russia. Through these connections, funds pass through international channels and are disguised as legitimate financial transactions.

The Year of the DPRK: everything you need to know about North Korean hacker groups

North Korean hackers are currently the main threat to the cryptocurrency market, as they have managed to automate and streamline the theft of digital assets

Читать дальше

Who has been sanctioned

Companies:

Ryujong Credit Bank — a bank in Pyongyang that, according to the US, helped transfer foreign currency between China and North Korea, circumventing international restrictions. It was also involved in laundering money earned abroad.

Korea Mangyongdae Computer Technology Corporation (KMCTC) — an IT company officially based in Pyongyang. It sent its employees to work in Chinese cities, using frontmen to receive and transfer money earned from foreign orders.

Individuals:

• Choe Chun Pom is a representative of the DPRK Central Bank in Russia and participated in transfers and organizing trips for officials.
• Han Hong Gil is an employee of Koryo Commercial Bank, who conducted transfers of hundreds of thousands of dollars on behalf of Ryujong Credit Bank.
• Jang Kuk Chol and Ho Jong Son — managed overseas funds worth over $5 million, including those linked to cyberattacks and illegal IT activities.
• Ho Yong Chol is a North Korean banker working in China. He conducted transactions worth tens of millions of dollars, helping to circumvent sanctions.
• Jong Sung Hyok is a representative of the Foreign Trade Bank in Vladivostok, Russia, who was involved in international settlements and transfers.
• Ri Jin Hyok is also a representative of this bank who participated in currency and crypto asset transfers.
• U Yong Su is the head of KMCTC, responsible for managing IT projects and financial operations abroad.

These eight individuals are considered key intermediaries, providing North Korea with access to international finance through networks of banks and front companies.

The shadow blockchain economy: criminals’ balance sheets exceed $75 billion

Criminal and illegal organizations have accumulated $75 billion in assets in their wallets — a record high in recent years

Читать дальше

Crypto wallets under sanctions

The sanctions list also includes 53 crypto wallets linked to North Korea’s Cheil Credit Bank. About $16 million in cryptocurrency (USDT) passed through them. Most of it came from major exchanges and already known suspicious addresses.

Connection between blocked addresses and major exchanges. Visualization: MistTrack

At the time of publication, approximately 60% of these wallets are empty — the funds have been transferred to other addresses. The remaining 40% contains approximately $6,5 million, which has already been blocked by the issuer of the stablecoin Tether.

Activity on these wallets was observed from August 2023 to July 2025, with the most activity occurring in mid-2024 and the first half of 2025. Most transactions ceased a week before the sanctions were officially announced. Many transfers were made in several stages to conceal the origin of the funds. Some wallets also interacted with major crypto exchanges.

Activity graph of blocked addresses

What this means

The new sanctions show how actively North Korea uses cybercrime and front companies to make money and circumvent international restrictions.

The US authorities are calling on financial institutions and cryptocurrency services to check the sources of incoming funds more carefully, track suspicious transactions, and avoid interacting with addresses that may be linked to sanctioned entities.

The main goal of these measures is to cut off North Korea’s funding channels and reduce the impact of its cybercrime networks on the global economy.