U.S. Sanctions North Korean IT Workers Over ‘Cyber Espionage’ and Crypto Theft Scheme.

July 8, 2025 

The U.S. Department of the Treasury has announced a new wave of sanctions targeting a network of North Korean IT workers accused of participating in cyber espionage and cryptocurrency thefts that have helped fund the regime’s weapons programs.

According to the Office of Foreign Assets Control (OFAC), the sanctioned individuals were part of a global scheme in which North Korean operatives posed as freelance IT developers to infiltrate tech and crypto firms, often under false identities. Their activities allegedly included theft of proprietary code, laundering of stolen crypto assets, and the deployment of malware.

Sanctions Target Frontline Operators in Pyongyang’s Cyber Army

“These individuals are part of a larger effort by the DPRK to exploit digital platforms to steal money and sensitive information that can support its weapons of mass destruction program,” said Brian Nelson, Under Secretary for Terrorism and Financial Intelligence.

The sanctioned workers are believed to be part of Bureau 121, a notorious cyber warfare unit under North Korea’s military intelligence agency. The Treasury described them as “key nodes in a sprawling international network,” with operatives embedded in or providing services to companies in the U.S., Europe, and Southeast Asia.

Crypto Firms and Freelance Portals Exploited

Officials say the IT workers posed as remote contractors, often through platforms like Upwork, LinkedIn, and GitHub, using forged documents and aliases. In many cases, they gained trusted access to internal systems, where they were able to introduce backdoors, exfiltrate digital assets, or gather sensitive client data.

“This is not a single hack, but a systemic infiltration of the freelance economy,” said a senior U.S. intelligence official. “The DPRK has adapted well to the gig economy model — and they’re using it to target the very infrastructure of global tech.”

Crypto firms were a frequent target, with at least $70 million in losses attributed to related operations since mid-2023, according to blockchain analytics firm Chainwatch. These losses include the compromise of smart contracts, insider key leaks, and software backdoors introduced through code contributions.

Broader Strategy to Cut Off Pyongyang’s Crypto Revenue

The new sanctions freeze any U.S.-based assets of the named individuals and prohibit American citizens or companies from conducting business with them. Treasury officials are also working with international partners in South Korea, Japan, and the EU to trace and block related crypto wallets and payment channels.

The move follows earlier warnings from the FBI and CISA, which issued joint alerts over North Korea’s targeting of blockchain developers and crypto project teams.

The United Nations has estimated that North Korean crypto thefts have generated upwards of $3 billion over the past five years, making digital assets a key funding stream for the regime amid tightening global sanctions.

Tech Industry Urged to Be Vigilant

The Treasury urged technology and finance companies to conduct enhanced due diligence on remote developers and contractors, especially those using pseudonymous identities or requesting payment in cryptocurrency.

“Companies must verify who they are working with, especially in sensitive sectors like finance and Web3,” OFAC stated. “Failure to do so risks not only theft, but legal exposure under sanctions regulations.”

Diplomatic Fallout Expected

The sanctions are expected to further strain U.S.-North Korea relations, which remain tense over Pyongyang’s ongoing missile tests and nuclear ambitions. North Korea has previously denied involvement in hacking or thefts, despite extensive evidence from Western intelligence agencies and cybersecurity firms.

With today’s action, the U.S. continues its effort to cut off one of North Korea’s most elusive funding channels: state-sponsored crypto crime conducted from behind keyboards far from Pyongyang — but with global reach.