— Edition 1.247 52 verified trackers
ES EN
Politics · Technology · Digital regulation  ·  where data speaks before headlines
Digital security · Global · DPRK

North Korea's IT-worker fraud: stolen identities, diverted salaries, and weapons funded with crypto

On 12 March, OFAC sanctioned six people and two entities over a scheme that, according to Treasury, generated about 800 million dollars in 2024 for North Korea's weapons programs. Operatives land remote jobs with fake documents and stolen identities, send most of the pay to Pyongyang and sometimes plant malware. The network included nodes in Vietnam, Laos and Spain.

By Alexandra A. Medina Technology expert 9 min read
OFAC North Korea DPRK IT workers stolen identities cryptocurrency Lazarus Amnokgang sanctions Chainalysis remote work
Digital security · Global · DPRK Remote-workpay that fundsmissiles The escalation of U.S. sanctions against the DPRK's IT and crypto fraud Feb 2025 About 1.5 billion stolen from Bybit, attributed to Lazarus Nov 2025 OFAC sanctions DPRK bankers and institutions 12 Mar 2026 Six people and two entities over the IT fraud (~800M in 2024) Compiled from the U.S. Treasury releases (sb0302 and sb0416) and Chainalysis analyses. The figures are estimates from those sources. DIÁLOGO CIUDADANO

The action

Some frauds look less like a heist than like a payroll. On 12 March 2026, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned six people and two entities for their role in IT-worker schemes orchestrated by the North Korean government that, according to the release, defraud U.S. businesses and generated nearly 800 million dollars in 2024 for the country’s weapons of mass destruction and ballistic-missile programs. Treasury Secretary Scott Bessent said the regime “targets American companies through deceptive schemes carried out by its overseas IT operatives, who weaponize sensitive data and extort businesses.”

How the scheme works

The method described by authorities is discreet by design. According to Treasury, the teams facilitated by the DPRK rely on fraudulent documentation, stolen identities and fabricated personas to conceal their origin and gain employment at legitimate companies worldwide, including in the United States and allied countries. The North Korean government then appropriates most of those overseas workers’ wages, channeling them toward weapons development in violation of U.S. and United Nations sanctions. Beyond the salary, Treasury and Chainalysis described how some of these workers introduce malware into their employers’ networks to extract sensitive information and, at times, demand extortion payments.

The operational novelty, analysts warned, is that the infiltrator is no longer an outside attacker. The Chainalysis analysis accompanying the action described operatives who write code, attend team standups and ship features while mapping systems and harvesting access for possible future exploitation.

The money trail

The file follows the money to the wallet. Treasury designated Nguyen Quang Viet, chief executive of the Vietnamese firm Quangvietdnbg, for converting about 2.5 million dollars into cryptocurrency for North Koreans between mid-2023 and mid-2025, including illicit earnings from workers tied to the North Korean company Amnokgang. Amnokgang Technology Development Company, a North Korean entity that manages overseas worker delegations, was designated under Executive Order 13810 for operating in the country’s information-technology sector. Two other people were designated under Executive Order 13382, on proliferation, for acting as supports for an already-sanctioned North Korean nuclear-procurement facilitator.

In all, the action included 21 cryptocurrency addresses across the Ethereum, Tron and Bitcoin networks, a multi-chain spread that, according to Chainalysis, seeks to obscure the movement of funds. OFAC also updated the entry for Sim Hyon Sop, a China-based representative of an already-sanctioned North Korean bank, with eleven new addresses.

Not only a U.S. problem

The map of the network is what makes this story relevant on this side of the Atlantic. Treasury placed the facilitation nodes in the DPRK itself, Vietnam, Laos and Spain, and described a group of North Korean IT workers operating as freelancers from Boten, Laos, since at least 2023. The presence of a node in Spain and the description of “allied countries” companies among the victims shift the risk to any organization that hires remote developers without enhanced verification. The scheme does not exploit an exotic technical flaw: it exploits the ordinariness of global remote work.

The underlying pattern

The 2024 figure is not an isolated episode but the latest reading of a trend. In a November 2025 release, Treasury estimated that, over the previous three years, North Korea-affiliated cybercriminals had stolen more than 3 billion dollars, mostly in cryptocurrency, through techniques such as advanced malware and social engineering. The theft of about 1.5 billion dollars from the Bybit platform in February 2025, attributed to the Lazarus group, was the loudest episode in that series. These numbers deserve methodological caution: they are estimates from the authority itself and from on-chain analytics firms, not amounts actually recovered, and they mix direct thefts with revenue from employment fraud.

What companies can do

The actionable part is familiar and, even so, hard. Treasury and Chainalysis advised crypto firms to screen all counterparties against updated sanctions lists, watch for patterns consistent with IT-worker fraud and strengthen due diligence in Southeast Asia, and pointed to the FBI’s January 2025 alert and the 2022 joint advisory from the Departments of State, Treasury and Justice. There remains, however, an unresolved tension the case itself illuminates: truly permissionless protocols cannot block addresses, and full recovery of funds stays elusive even as traceability improves. A designation cuts access and raises the cost of operating; it does not, by itself, return money already converted.

← More analysis Home