OFAC sanctions individuals, entities, and crypto wallets associated with North Korean cyber activities

‍TRM Labs research shows sanctioned wallets received about USD 28 million in funds

Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned four entities and one individual for North Korea’s malicious cyber activities, including hacks and deployment of IT workers to fund weapons proliferation. 

The United States and South Korea on Tuesday announced a new tranche of North Korea sanctions. Specifically, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned four entities and one individual for North Korea’s malicious cyber activities, including hacks and deployment of IT workers to fund weapons proliferation. South Korea’s foreign ministry separately announced sanctions against seven individuals and three entities.

In addition to sanctioning the entities and individuals, OFAC added four cryptocurrency addresses used to transact  BTC, ETH, USDT and USDC to its Specially Designated Nationals (SDN) List. According to OFAC, the wallets received more than USD 2 million in cryptocurrency fund transfers from IT teams located in China and Russia.

However, blockchain analysis by TRM Labs found that the four sanctioned addresses received as much as USD 28 million. TRM is investigating the origins of these funds. 

The four addresses belong to 58 year-old North Korean Sang Man Kim. According to OFAC, Kim is an employee of the Chinyong Information Technology Cooperation Company based at the company’s office in Vladivostok, Russia. In addition to being involved in the sale and transfer of IT equipment for the DPRK, Kim allegedly has ties to the Reconnaissance General Bureau, North Korea’s primary foreign intelligence agency.

The Twin Pillars of North Korea’s Cyber Strategy

Today’s OFAC action designated two pillars of North Korea’s cyber strategy - cyber attacks and the fraudulent use of IT workers.

First, OFAC targeted “malicious cyber organizations,” which have been involved in North Korea’s sustained attacks on the cryptocurrency ecosystem. Among these, OFAC added Pyongyang University of Automation, which it describes as “one of the DPRK’s premier cyber instruction institutions,” that  is “responsible for training malicious cyber actors.” In addition, OFAC sanctioned the Technical Reconnaissance Bureau (TRB) and its cyber unit, the 110th Research Center. According to OFAC, the TRB “leads the DPRK’s development of offensive cyber tactics and tools and operates several departments, including those affiliated with the Lazarus Group”. In March 2022 the Lazarus Group stole USD 620 million from a hack of the play-to-earn game Axie Infinity.

Second, OFAC targeted what it called “illicit IT worker revenue generation.” This is the state-sponsored strategy to generate revenue through the deployment of highly-skilled IT workers at companies around the globe. OFAC claims such workers, who fraudulently obtain employment by obfuscating their identities, canearn hundreds of thousands of dollars a year - revenue used, according to OFAC, to fund North Korea’s WMD and ballistic missile programs.

Over the last few years North Korea has attacked cryptocurrency businesses at alarming speed and scale. While 2022 was a record setting year for hacks with about $3.7 billion stolen, this week TRM reported that hacks have dropped 70% from this time last year. While there are likely many factors contributing to the decrease, it is clear that U.S. authorities continue to target North Korean actors who were responsible for over a billion dollars of the 2022 total.

To understand much more about DPRK cyber activities, join us for TRM Talks: The North Korea Threat on June 1, 2023 at 11 AM ET. Register here.

And, check out TRM’s library of insights on North Korea here.

‍

‍