On November 4, 2025, the United States Treasury Department took a decisive step in its ongoing effort to curb North Korea’s illicit financial activity, imposing sweeping sanctions on eight individuals and two companies accused of laundering over $3 billion in stolen cryptocurrency. According to the Treasury’s Office of Foreign Assets Control (OFAC), this vast sum—stolen over just the past three years—has been funneled directly into North Korea’s nuclear weapons and missile programs, fueling one of the world’s most persistent security threats.
“North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program,” stated John K. Hurley, the Treasury’s Under Secretary for Terrorism and Financial Intelligence, in an official release. The department’s latest action, as reported by the Associated Press and corroborated by financial and cybersecurity outlets, targets the intricate web of North Korean banking representatives, shell companies, and IT worker schemes that have enabled Pyongyang to evade international sanctions and move illicit funds through global financial networks.
Among those sanctioned were two prominent North Korean bankers, Jang Kuk Chol and Ho Jong Son, both accused of managing $5.3 million in cryptocurrency on behalf of the already-sanctioned First Credit Bank. Treasury officials revealed that a portion of these funds could be traced directly to ransomware attacks targeting U.S. victims—a sobering reminder of how cybercrime, even when it seems distant, can have very real consequences for ordinary Americans and U.S. institutions.
The crackdown extended to Korea Mangyongdae Computer Technology Company (KMCTC), an IT firm operating out of Shenyang and Dandong in China. The company, led by its president U Yong Su (also sanctioned), runs overseas IT worker delegations that use Chinese nationals as proxies to launder earnings back to North Korea. According to the Treasury, these IT workers frequently use false or stolen identities to obtain freelance contracts abroad, sometimes collaborating with non-North Korean freelancers and splitting project revenue to further obscure the origin of their earnings. This elaborate scheme, the department notes, generates "hundreds of millions of dollars per year" for Pyongyang’s weapons development.
Ryujong Credit Bank, another target of the sanctions, was cited for its role in laundering money between North Korea and China. The bank, based in Pyongyang, has reportedly facilitated the movement of millions of dollars, yuan, and euros through global financial networks. Five other North Korean representatives in China and Russia were also sanctioned for their part in moving illicit funds on behalf of the regime. Their activities ranged from converting $2.5 million from U.S. dollars into Chinese yuan to managing transactions worth over $85 million for sanctioned North Korean government entities.
The scale and sophistication of North Korea’s cyber operations have stunned even seasoned cybersecurity experts. As highlighted in a recent 138-page international report, North Korean cyber actors are responsible for "cyber-enabled espionage, disruptive cyberattacks, and financial theft at a scale unmatched by any other country." Over the last three years, these actors have stolen more than $3 billion, primarily in cryptocurrency, using advanced malware, social engineering, and ransomware to attack banks, exchanges, and digital platforms worldwide.
One particularly audacious heist occurred in February, when North Korean hackers stole $1.5 billion in Ether from the crypto exchange Bybit. The attackers reportedly used a bogus stock trading simulator to pull off the theft, demonstrating the regime’s technical prowess and willingness to exploit any vulnerability in the rapidly evolving world of digital finance. As David Maxwell, senior fellow at the Foundation for the Defense of Democracies, observed in a 2023 interview, North Korea regards cryptocurrency as its "treasure sword"—a critical tool for sustaining the regime in the face of tightening international sanctions.
The U.S. government has not been idle in the face of these threats. In 2022, the Treasury Department warned American firms against hiring highly skilled North Korean IT workers, who often disguise their identities to gain access to financial networks by posing as remote freelancers. Last year, the FBI issued a separate warning that North Korean hackers were targeting U.S. cryptocurrency exchange-traded funds (ETFs) using advanced social engineering tactics, fake job offers, and malware deployment. These warnings, now underscored by the latest round of sanctions, reflect growing concern about the role of cryptocurrency in North Korea’s illicit finance operations.
Tuesday’s sanctions are broad in scope. They block all property and interests of the designated individuals and entities that fall under U.S. jurisdiction and prohibit Americans from engaging in transactions with them. Financial institutions found violating these rules could face stiff enforcement actions, the Treasury warned. While it remains unclear whether any of the sanctioned parties hold assets within the United States, the action sends a clear message to the global financial system: facilitating North Korea’s illicit networks will not be tolerated.
The Treasury’s statement also highlighted the international dimension of the problem. North Korea’s laundering network spans China, Russia, and other countries, relying on a patchwork of shell companies, proxies, and complicit financial institutions. The department named several other sanctioned North Korean banks, including Korea Daesong Bank, Koryo Commercial Bank, and the Foreign Trade Bank, as beneficiaries of the laundering activities. The five North Korean representatives sanctioned in China and Russia were identified as key facilitators, moving millions in various currencies to support Pyongyang’s ambitions.
According to the Treasury, the IT worker scheme alone brings in "hundreds of millions of dollars per year." North Korean IT workers, often operating under assumed identities, secure high-paying roles at foreign companies—sometimes even in the U.S.—and funnel their earnings back home. In some cases, they collaborate with foreign freelancers, splitting project revenue and further muddying the financial trail. This not only funds the regime’s weapons development but also undermines the integrity of the global gig economy and the trust that underpins it.
For all the technical detail and financial complexity, the stakes are easy to grasp. As John K. Hurley put it, "By generating revenue for Pyongyang’s weapons development, these actors directly threaten U.S. and global security." The U.S. government, in concert with international partners, is determined to disrupt the network that enables North Korea to convert stolen digital assets into weapons of mass destruction.
It’s a high-stakes cat-and-mouse game—one that spans continents, currencies, and cyberspace. As North Korea’s tactics evolve, so too must the global response. The latest round of sanctions is a clear signal that, at least for now, the U.S. intends to keep the pressure on, cutting off Pyongyang’s access to the digital lifelines that fuel its most dangerous ambitions.
