U.S. Treasury Sanctions DPRK IT-Worker Scheme, Exposing $600K Crypto Transfers and $1M+ Profits
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced a fresh round of sanctions against two individuals and two entities for their role in the North Korean remote information technology (IT) worker scheme to generate illicit revenue for the regime's weapons of mass destruction and ballistic missile programs.
"The North Korean regime continues to target American businesses through fraud schemes involving its overseas IT workers, who steal data and demand ransom," said Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley. "Under President Trump, Treasury is committed to protecting Americans from these schemes and holding the guilty accountable."
The key players targeted include Vitaliy Sergeyevich Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology Co., Ltd, and Korea Sinjin Trading Corporation. The latest effort expands the scope of sanctions imposed against Chinyong Information Technology Cooperation Company in May 2023.
Chinyong, according to insider risk management firm DTEX, is one of the many IT companies that have deployed IT workers for engaging in freelance IT work and cryptocurrency theft. It has offices in China, Laos, and Russia.
The years-long IT worker threat, also tracked as Famous Chollima, Jasper Sleet, UNC5267, and Wagemole, is assessed to be affiliated with the Workers' Party of Korea. At its core, the scheme works by embedding North Korean IT workers in legitimate companies in the U.S. and elsewhere, securing these jobs using fraudulent documents, stolen identities, and false personas on GitHub, CodeSandbox, Freelancer, Medium, RemoteHub, CrowdWorks, and WorkSpace.ru.
Select cases have also involved the threat actors clandestinely introducing malware into company networks to exfiltrate proprietary and sensitive data, and extort them in return for not leaking the information.
In a report published Wednesday, Anthropic revealed how the employment fraud operation has leaned heavily on artificial intelligence (AI)-powered tools like Claude to create convincing professional backgrounds and technical portfolios, tailor resumes to specific job descriptions, and even deliver actual technical work.
"The most striking finding is the actors' complete dependency on AI to function in technical roles," Anthropic said. "These operators do not appear to be able to write code, debug problems, or even communicate professionally without Claude's assistance. Yet they're successfully maintaining employment at Fortune 500 companies (according to public reporting), passing technical interviews, and delivering work that satisfies their employers."
The Treasury Department said Andreyev, a 44-year-old Russian national, has facilitated payments to Chinyong and has worked with Kim Ung Sun, a North Korean economic and trade consular official based in Russia, to conduct multiple financial transfers worth nearly $600,000 by converting cryptocurrency to cash in U.S. dollars since December 2024.
Shenyang Geumpungri, the department added, is a Chinese front company for Chinyong that consists of a delegation of DPRK IT workers, generating over $1 million in profits for Chinyong and Sinjin since 2021.
"Sinjin is a DPRK [Democratic People's Republic of Korea] company subordinate to the U.S.-sanctioned DPRK Ministry of People's Armed Forces General Political Bureau," the Treasury said. "The company has received directives from DPRK government officials regarding the DPRK IT workers that Chinyong deploys internationally."
The announcement comes a little over a month after the Treasury Department sanctioned a North Korean front company (Korea Sobaeksu Trading Company) and three associated individuals (Kim Se Un, Jo Kyong Hun, and Myong Chol Min) for their involvement in the IT worker scheme. In parallel, an Arizona woman was awarded an eight-year prison sentence for running a laptop farm that enabled the actors to connect remotely to companies' networks.
Last month, the department also sanctioned Song Kum Hyok, a member of a North Korean hacking group called Andariel, alongside a Russian national (Gayk Asatryan) and four entities (Asatryan LLC, Fortuna LLC, Korea Songkwang Trading General Corporation, and Korea Saenal Trading Corporation) for their participation in the sanctions-evading scheme.
