Chainalysis has noted that in a significant escalation of efforts to curb illicit funding for weapons programs, the US Treasury’s Office of Foreign Assets Control (OFAC) has imposed fresh sanctions on individuals and companies tied to North Korean IT worker schemes that rely heavily on cryptocurrency. Announced on March 12, 2026, the designations target six people and two entities accused of orchestrating fraud that funneled nearly $800 million into the Democratic People’s Republic of Korea (DPRK) in 2024 alone.
Blockchain analytics firm Chainalysis detailed how these operations function in its latest report.
North Korean operatives deploy teams of IT professionals who secure remote jobs at legitimate global companies—often in the United States—by using stolen identities, forged documents, and fake personas.
The DPRK government then seizes the bulk of their salaries, redirecting the revenue toward its prohibited weapons of mass destruction and ballistic missile initiatives in direct violation of U.S. and United Nations sanctions.
Beyond simple wage theft, the workers reportedly embed malware into corporate systems to steal sensitive data, which they sometimes leverage for extortion demands paid in cryptocurrency.
The networks span multiple jurisdictions, with notable activity in Vietnam, Laos, and Spain, allowing them to blend into legitimate business environments while maintaining ties to Pyongyang.
Cryptocurrency plays a pivotal role in moving these illicit proceeds back to North Korea without triggering traditional banking alerts.
Chainalysis highlighted one key facilitator, the CEO of a Vietnam-based firm, who converted roughly $2.5 million in earnings into digital assets between mid-2023 and mid-2025.
These funds supported overseas IT delegations managed by Amnokgang Technology Development Company, a long-standing DPRK entity founded in 1982.
OFAC specifically flagged 21 cryptocurrency addresses linked to the scheme, spanning Ethereum, Tron, and Bitcoin networks.
For instance, addresses associated with Amnokgang and other sanctioned figures like Yun Song Guk, who oversees operations in Laos, and Hoang Minh Quang received transfers totaling over $70,000 in coordinated IT-related payments.
Even previously sanctioned individuals saw their profiles updated with additional wallet addresses.
The operatives favor mainstream services—including compliant exchanges, hosted wallets, decentralized finance platforms, and cross-chain bridges—while routing funds through Southeast Asian intermediaries and occasionally receiving inflows from suspected state-sponsored hacks.
This latest action underscores North Korea’s evolving playbook for sanctions evasion.
Chainalysis notes that the regime increasingly blends IT worker fraud with high-profile cyber thefts by groups such as the Lazarus collective and ransomware campaigns that explicitly demand crypto payments.
By operating across multiple blockchains, DPRK actors aim to complicate tracking and obscure the ultimate destination of funds.
The multi-jurisdictional nature further exploits gaps in international enforcement.
Industry professionals view the sanctions as a reminder of persistent risks in the digital asset space.
Companies hiring remote developers are urged to implement rigorous identity verification, while crypto platforms should enhance screening against sanctioned addresses.
Chainalysis has incorporated the newly designated wallets into its monitoring tools, enabling real-time alerts for exposure.
As global regulators intensify pressure on illicit crypto flows, this case illustrates how blockchain transparency—once seen as a vulnerability for criminals—now serves as an investigative asset.
Continued collaboration between analytics firms, exchanges, and law enforcement will be essential to disrupt these revenue streams and limit the DPRK’s capacity to finance its weapons ambitions. Chainalysis concluded that the $800 million figure from 2024 alone highlights the scale of the challenge and the urgency of sustained vigilance in 2026 and beyond.