On-Chain Tracking|U.S. Further Cracks Down on North Korean IT Worker Fraud Network Using Cryptocurrency to Fund WMDs, Sanctions 6 Individuals and 2 Corporate Entities
- Core Viewpoint: The U.S. Treasury sanctioned an IT worker fraud network funding North Korea's WMD programs, highlighting the critical role of cryptocurrency in the network's fund transfers and sanctions evasion.
- Key Elements:
- The U.S. OFAC sanctioned 6 individuals and 2 entities, accusing them of helping North Korean IT workers fraudulently secure positions at U.S. companies and funneling hundreds of millions in salaries to support North Korean weapons programs.
- The sanctions targeted 21 cryptocurrency addresses, with one key figure converting approximately $2.5 million in cryptocurrency for North Korean interests over two years.
- On-chain analysis reveals that substantial funds, including millions in USDT and USDC, flowed through the sanctioned addresses into various centralized exchanges.
- North Korea-linked personnel are not only accused of obtaining salaries but also of potentially planting malware in corporate networks to steal sensitive information.
- This action underscores the urgency for Virtual Asset Service Providers (VASPs) to strengthen anti-money laundering (AML) compliance and screen high-risk addresses.
On March 12, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced sanctions against six individuals and two entities involved in a North Korea-led IT worker fraud network. The announcement stated that these participants systematically defrauded U.S. companies to fund weapons of mass destruction programs, with the amount involved in 2024 alone approaching $8 billion.
https://home.treasury.gov/news/press-releases/sb0416
Sanctions Details
According to U.S. OFAC disclosures, North Korea-controlled IT teams gained employment at legitimate companies in the U.S. and other countries by using forged documents, stolen identities, and fabricated personas to conceal their true identities. The North Korean government seizes the vast majority of these overseas IT workers' salaries, obtaining hundreds of millions of dollars to support its weapons of mass destruction and ballistic missile programs. In some cases, North Korea-linked personnel also secretly implant malware into corporate networks to steal proprietary and sensitive information.
This round of sanctions targets a total of six individuals (Nguyen Quang Viet, Do Pyong Kyong, Hoang Van Nguyen, Yun Song Guk, Hoang Minh Quang, York Louis Celestino Herrera), identified as providing substantial assistance to North Korean IT workers in cryptocurrency exchange, money laundering, bank account opening, and IT business connections; and two corporate entities (Amnokgang, Quangvietdnbg), identified as key operators and facilitators of the IT worker fraud network.
Sanctioned Address Analysis
This sanctions action has locked 21 cryptocurrency addresses. According to the OFAC announcement, from mid-2023 to mid-2025, Quangvietdnbg's CEO Nguyen Quang Viet exchanged approximately $2.5 million worth of cryptocurrency for the North Korean side, confirming that cryptocurrency is a crucial channel for North Korean IT workers to transfer funds and evade sanctions.
Analysis of the 21 addresses on this sanctions list using the on-chain anti-money laundering analysis platform Beosin KYT and the investigation tool Beosin Trace yields the following results:
YUN, Song Guk (North Korean national, leader of IT workers in Boten, Laos)
ETH:
0xb637f84b66876ebf609c2a4208905f9ddac9d075
0x95584C303FCd48AF5c6B9873015f2AD0ca84EaE3
According to Beosin Trace statistics, approximately 200,851 USDT previously flowed out to various centralized exchanges.
HOANG, Minh Quang (Facilitated IT service transactions exceeding $70,000)
BTC: bc1qyy5pt5cx3zth8xlj92lq5y87dh8xv3nwgs4ncq
Previously, 0.57462 BTC flowed into a Coinbase account.
SIM, Hyon Sop (Representative of North Korea's Kwangson Banking Corp. in China, with 11 newly added addresses)
Previously frozen address (ETH network):
0x4f47bc496083c727c5fbe3ce9cdf2b0f6496270c
This address had a liquid volume of 21,937,732.52 USDT and 2,071,126.59 USDC. Currently, 58,148.62 USDT remains deposited at this address.
Newly sanctioned addresses (ETH network):
0xd04E33461FEA8302c5E1e13895b60cEe8AEfda7F
0x76EA76CA4Eb727f18956aB93445a94c5280412B9
0xFb3eFf152ea55D1BfA04Dbdd509A80fD7b72cdEB
0xFda1Ec4A6178d4916b001a065422D31EBE5F62FF
0x747AFB5c7A7fc34B547cD0FDEbf9b91759C5a52b
The fund flow chart is as follows:
Approximately 98,139.11 USDT, 21,300 USDC, and 0.51268 ETH flowed out.
Newly added TRX addresses:
TPDLpXxPcaSsupEZ3yrVksmNkYP5SLeKxu
TGXE9dGWawjfd3xqFSho1h1bRbRv9wUGrF
TNTFhgFoKH4srBMiWbfrVFqP2AThSmdwf1
TXhf9nU9bjo1j9z5qEesHdr6gtdndfnA4T
TK17wfSPp32RWrnzZPrGpv7TxdNFvvvE2s
TYeQD2VddTZ9NkFkAnT9DD8cUGetGUQZB2
Approximately 6,236.74 TRX and 999,014.46 USDT flowed out.
Same address cross-chain:
ARB:0x4f47bc496083c727c5fbe3ce9cdf2b0f6496270c
BSC:0x4f47bc496083c727c5fbe3ce9cdf2b0f6496270c
Approximately 1,133,025.26 USDT, 935,943.84 BUSD, and 17,811.05 USDC flowed out to various centralized exchanges.
AMNOKGANG TECHNOLOGY DEVELOPMENT COMPANY
ETH:
0xcB74874f1e06Fcf80A306e06e5379A44B488bA2D
0x0330070FD38Ec3bB94F58FA55D40368271E9e54A
0x9Be599d7867f5E1a2D7Ec6dB9710dF2b98A15573
A total of approximately 205.02 ETH, 274,531.15 USDT, and 228,496.97 USDC were involved. Of this, 96.05 ETH remains deposited in address 0x9be599d7867f5e1a2d7ec6db9710df2b98a15573.
Tron network addresses:
TNrX2FwrHKoo4XACGkmSzqeK4pdnKYn6Z7
TEEYCuGDyeNkuDj4 U6GQRXxXo3Nh29r2vP
TZB4NrX7k9ZsV6PRc1GigAztLL8WHpLvwP
TDe2 UNAvuUnTbbDo7518eMe3TXN5qJW8Ft
Approximately 2,744.75 TRX and 4,941,817.62 USDT flowed out to various centralized exchanges.
Beosin Anti-Money Laundering Recommendations
This action is another measure by the U.S. Treasury Department in its ongoing efforts to combat North Korea's use of cryptocurrency to evade sanctions. For the virtual asset industry, how to conduct anti-money laundering compliance screening and identify addresses associated with high-risk funds has become a critical capability for Virtual Asset Service Providers (VASPs).
