March 13, 2026

Beyond IT Worker Fraud: OFAC's Latest DPRK Designations Show Broader Sanctions and National Security Risk

TRM Team

Beyond IT Worker Fraud: OFAC's Latest DPRK Designations Show Broader Sanctions and National Security Risk

Key takeaways:

OFAC’s latest action targets the broader DPRK IT worker ecosystem, sanctioning six individuals and two businesses linked to state-directed schemes that generate revenue for North Korea.
DPRK IT worker operations represent a major revenue stream, with US authorities estimating they generated nearly USD 800 million in 2024.
The designated network spans multiple jurisdictions, with facilitators operating across DPRK, Vietnam, Laos, and Spain.
Cryptocurrency remains embedded in DPRK financial activity, with seven addresses tied to Amnokgang Technology Development Company processing over USD 12 million in transactions, according to TRM analysis.
The sanctions highlight the role of supporting facilitators, including entities involved in currency conversion, overseas worker management, and procurement activity.
Previously sanctioned actors continue to operate, as illustrated by updated designations tied to DPRK financial facilitator Sim Hyon-Sop.
For the private sector, DPRK IT worker activity represents broader sanctions and national security risk, rather than a standalone employment fraud issue.

‍

Yesterday, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions on a network of DPRK facilitators of government-orchestrated IT worker schemes. These schemes are responsible for systematically defrauding US businesses and generating revenue to fund the DPRK’s weapons of mass destruction (WMD) programs, generating nearly USD 800 million in 2024 alone. Operatives used fraudulent documents, stolen identities, and fabricated personas to secure positions, including at US companies, according to the sanctions documentation.

The action targeted six individuals and two businesses spread across DPRK, Vietnam, Laos, and Spain, underscoring the vast reach of North Korea’s IT worker ecosystem. The designation included Amnokgang Technology Development Company, a DPRK IT company managing delegations of overseas IT workers and conducting illicit procurement activities to obtain and sell military and commercial technology through its overseas networks. According to OFAC, Quangvietdnbg, also included in the designation, is a Vietnam-based company being used to facilitate currency conversion services for North Korea, including converting illicit earnings from IT workers associated with Amnokgang. OFAC included seven cryptocurrency addresses in the Amnokgang designation.

These OFAC-designated Amnokgang Technology Development Company addresses conducted over USD 12 million in transactions, according to TRM analysis of on-chain data. Amnokgang Technology Development Company has also received funds from entities which have sent cryptocurrency through intermediary addresses to OFAC-sanctioned Cheil Credit Bank, as well as to high-risk exchanges, Chinese darknet markets, and other illicit services.

*Flow of funds between Amnokgang and other services, including SDN Cheil Credit Bank*

In addition to the above businesses, OFAC also sanctioned Yun Song Guk, a DPRK national, who led a group of North Korean IT workers conducting IT work operating out of Laos. Yun, in coordination with Hoang Minh Quang, reportedly completed several dozen financial transactions totaling more than USD 70,000 relating to IT services Yun performed.

OFAC also amended the existing sanctions designation for Sim Hyon-Sop with additional cryptocurrency addresses. Sim was originally designated by OFAC on April 24, 2023 for coordinating millions of dollars in financial transfers for the DPRK as a deputy representative of the Korea Kwangson Banking Corp (KKBC).

The newly designated addresses associated with Sim are part of a transactional network TRM explored in a December 2025 Wall Street Journal report. Despite his 2023 designation by OFAC and indictment by the DOJ, Sim remains active, laundering hack proceeds and IT worker salaries as well as transacting with other rogue governments, including Iran’s Revolutionary Guards Corps (IRGC), according to TRM analysis.

This latest action underscores Treasury’s focus on disrupting the revenue North Korea generates from IT worker schemes. The inclusion of cryptocurrency addresses tied to multiple facilitators reflects the expansion of enforcement aimed at targeting the full ecosystem supporting DPRK revenue generation.

At the same time, the updates tied to Sim Hyon-Sop reinforce a key point: these networks are persistent, adaptive, and supported by individuals who are not deterred by enforcement actions.. Treasury’s continued pressure on actors linked to IT worker fraud, illicit finance, and proliferation-related procurement signals that DPRK revenue operations remain a priority for US authorities. For the private sector, the message is clear: North Korea’s IT worker activity should be viewed not as isolated employment fraud, but as part of a broader sanctions, financial crime, and national security risk environment.

‍

Frequently asked questions (FAQs)

1. What are DPRK IT worker schemes?

DPRK IT worker schemes involve North Korean nationals posing as remote freelancers or employees — often using stolen identities, fraudulent documents, or fabricated personas — to secure jobs with foreign companies. The earnings generated from these roles are redirected to the North Korean government.

2. Why are these schemes a national security concern?

Revenue from these operations helps fund North Korea’s weapons of mass destruction (WMD) and ballistic missile programs, according to US authorities. As a result, the activity is treated as both a financial crime issue and a national security threat.

3. What entities were designated in this sanctions action?

OFAC designated:

Six individuals linked to DPRK IT worker activity
Two businesses, including Amnokgang Technology Development Company and the Vietnam-based firm Quangvietdnbg
Seven cryptocurrency addresses associated with Amnokgang

These actors allegedly supported IT worker operations, currency conversion services, or other financial facilitation activities.

4. What role does cryptocurrency play in these networks?

Cryptocurrency can serve several functions within DPRK financial operations, including:

Moving funds across borders
Laundering proceeds from cybercrime or fraud
Converting revenue generated by IT worker schemes

TRM analysis shows that the addresses associated with Amnokgang processed over USD 12 million in transactions and interacted with a range of services, including high-risk exchanges and previously sanctioned entities.

5. Who is Sim Hyon-Sop and why is his designation significant?

Sim Hyon-Sop is a DPRK national previously designated by OFAC in April 2023 for coordinating financial transfers on behalf of Korea Kwangson Banking Corp (KKBC).

The addition of new cryptocurrency addresses tied to Sim highlights how sanctioned facilitators can continue operating through evolving financial networks, even after enforcement actions.