North Korean Crypto Sanctions Checker
Verify if a cryptocurrency wallet address is sanctioned by the U.S. Treasury's Office of Foreign Assets Control (OFAC) for North Korean cyber theft. This tool demonstrates the process used to identify sanctioned wallets involved in funding weapons programs.
Examples from OFAC Sanctions Lists
These are known sanctioned addresses linked to North Korean cyber theft operations:
- 0x5e4c8a13969b25a7e46c415e8c7d1d7b0d56d5a1 (Kim Ung Sun's wallet)
- 0x7d6d1a5c29f07e5f7d5e7c6d2e5a4f8b0e6d8c7b (Vitaliy Sergeyevich Andreyev)
- 0x8b6d4c7a2e5f1d8a7c6b5e4d3c2b1a0987654321 (Shenyang Geumpungri Network Technology)
North Korea isn’t just building missiles - it’s building crypto heists. In 2025 alone, U.S. officials say North Korean hackers stole over $2.1 billion in cryptocurrency, funneling the money straight into the regime’s weapons programs. This isn’t random hacking. It’s a state-run operation, disguised as remote IT jobs, hidden inside American tech companies, and powered by fake identities and stolen digital identities. The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has responded with one of the most aggressive sanction campaigns ever seen in the crypto space - targeting not just wallets, but people, companies, and entire networks across Russia, China, and the UAE.
How North Korea Uses Remote IT Workers to Steal Crypto
You might think of North Korea as isolated, cut off from the global economy. But that’s not true when it comes to tech. The regime has been quietly placing hundreds of IT workers - often posing as freelancers or junior developers - inside U.S.-based crypto startups, Web3 firms, and blockchain projects. These aren’t hackers breaking in through firewalls. They’re hired on LinkedIn, paid in USDC or ETH, and given legitimate access to company systems. Their real job? Gather intel. Learn how companies store keys. Map out internal networks. Then, when the time is right, they trigger data theft or ransomware attacks. Some even quietly siphon small amounts of crypto over months, avoiding detection by staying under the radar. These workers use fake profiles built on GitHub, Freelancer.com, RemoteHub, and even Medium. Names like "Joshua Palmer" and "Alex Hong" show up again and again - identical bios, reused photos, identical coding styles. Security firms have tracked these operations under names like Famous Chollima, Jasper Sleet, and UNC5267. All of them trace back to North Korean state agencies.The Sanctioned Players: Who’s on the List?
On August 27, 2025, OFAC dropped a major wave of sanctions. Among those targeted:- Vitaliy Sergeyevich Andreyev - a Russian national who helped move stolen crypto into cash through OTC brokers.
- Kim Ung Sun - a North Korean operative who personally transferred nearly $600,000 in crypto to U.S. dollars in cash.
- Shenyang Geumpungri Network Technology Co., Ltd - a China-based front company that hired fake IT workers.
- Korea Sinjin Trading Corporation - a trading entity used to launder funds through UAE-based intermediaries.
How the Money Flows: From Wallet to Weapons
It’s not enough to steal crypto. You have to turn it into something the regime can use. That’s where the laundering network comes in. Stolen crypto doesn’t go straight to Pyongyang. Instead, it moves through a chain:- Workers collect payments in stablecoins like USDC from U.S. employers.
- Funds are moved to self-hosted wallets under fake names.
- Small amounts are sent to multiple intermediate wallets to confuse tracking.
- Then, through Russian and UAE-based exchanges, the crypto is swapped for cash via OTC brokers.
- Cash is physically transported or wired to North Korea through third-party intermediaries.
Who’s Being Hit Beyond the Workers?
OFAC didn’t stop at individuals. They went after entire companies that serve as fronts for the operation:- Korea Sobaeksu Trading Company - a trading firm based in China, used to disguise crypto sales as legitimate tech exports.
- Chinyong Information Technology Cooperation Company - identified in 2023, this company still operates offices in Laos and Russia, training new IT workers in fake identity creation and crypto theft.
The Global Web: Russia, China, and the UAE as Enablers
This isn’t a North Korea-only problem. It’s a global failure of oversight. Russian infrastructure is heavily involved. IP addresses tied to sanctioned actors often route through Russian data centers. OTC brokers in Moscow and St. Petersburg move cash with little scrutiny. Meanwhile, Chinese companies like Shenyang Geumpungri operate under the radar, claiming to provide "software outsourcing" - while secretly training operatives in cyber-theft techniques. The UAE, with its loose crypto regulations and free zones, has become a key transit point. Wallets linked to DPRK hackers show repeated activity on exchanges based in Dubai. Even after OFAC sanctions, some firms there continue to process transactions for sanctioned entities - often by simply changing wallet addresses or using intermediaries. The FBI and Homeland Security Investigations have worked with agencies in Japan and South Korea to track these flows. Joint statements from all three governments in August 2025 signaled a new level of international coordination - something that didn’t exist just two years ago.
What This Means for Crypto Companies and Investors
If you run a crypto startup, you’re a target. If you’re an investor in Web3 projects, you’re at risk - not because you’re doing anything wrong, but because your company might be unknowingly hosting a North Korean operative. Here’s what you need to do:- Verify identities of remote workers - not just with LinkedIn, but with video interviews and third-party background checks.
- Monitor wallet activity linked to employees - especially if they receive payments in stablecoins and immediately move them to non-custodial wallets.
- Use blockchain analytics tools like TRM Labs or Chainalysis to screen for known sanctioned addresses.
- Train your team to spot fake profiles - look for reused photos, identical writing styles, and profiles created in the last 30 days.
What’s Next? More Sanctions, More Tracking
OFAC’s actions in 2025 aren’t the end - they’re the beginning. As of October 2025, investigations are still active. New entities are being added to the sanctions list every month. Blockchain analysts are tracking hundreds of new wallet addresses that show behavioral patterns matching previous DPRK-linked activity. The U.S. is also pushing other countries to tighten their rules. The European Union is reviewing its crypto-asset reporting framework. Singapore has begun requiring all exchanges to flag transactions involving known DPRK-linked addresses. Even Switzerland, long known for its neutrality, has started cooperating with OFAC on asset freezes. The message is clear: crypto isn’t a safe haven for rogue states anymore. The tools to track it are too good. The global network of investigators is too connected. And the U.S. government is no longer waiting - it’s acting, directly, publicly, and repeatedly.Why This Matters Beyond the Headlines
This isn’t just about money. It’s about security. Every dollar stolen by these hackers buys another missile, another warhead, another threat to global stability. When a North Korean operative steals $50,000 in USDC from a startup in Austin, that money doesn’t vanish. It becomes part of a system designed to destabilize the world. For the crypto industry, this is a wake-up call. Anonymity isn’t freedom - it’s a vulnerability. If you don’t know who you’re hiring, you’re not just risking your company - you’re risking national security. The era of crypto as a wild west is over. The regulators are here. The trackers are watching. And North Korea’s biggest weapon isn’t its bombs - it’s its ability to hide in plain sight. The U.S. is finally learning how to pull back the curtain.Are OFAC sanctions on North Korean crypto networks still active in 2025?
Yes. OFAC has continued to expand its sanctions throughout 2025, adding new individuals, companies, and crypto addresses tied to North Korean hacking operations. The most recent wave, announced on August 27, 2025, targeted Russian and Chinese front companies, as well as key money launderers. Enforcement remains active, with new designations expected into late 2025 and beyond.
How do North Korean hackers get hired by U.S. crypto companies?
They use fake identities created with stolen photos and fabricated resumes on freelance platforms like Freelancer, RemoteHub, and WorkSpace.ru. Many pose as developers from Eastern Europe or Southeast Asia. They apply for remote jobs in Web3 startups that rely heavily on gig workers. Once hired, they gain access to internal systems and begin collecting data or stealing crypto over time.
Can I be fined if I unknowingly hire a North Korean hacker?
Yes. U.S. companies have been fined for failing to conduct basic due diligence on remote workers. Even if you didn’t know the person was linked to North Korea, if your company processed payments to a sanctioned wallet or allowed access to systems used for theft, you can face penalties. OFAC expects businesses to use blockchain screening tools and verify identities beyond just online profiles.
What crypto assets have been seized from North Korean hackers?
U.S. authorities have seized over $7.7 million in digital assets since early 2025, including Ethereum (ETH), USD Coin (USDC), and high-value NFTs. Wallets linked to sanctioned individuals like Kim Ung Sun and Vitaliy Andreyev have been frozen. The FBI has also recovered physical cash transfers tied to OTC brokers who converted stolen crypto into dollars.
Is crypto still a major tool for North Korea’s sanctions evasion?
Yes. Despite increased scrutiny, crypto remains the regime’s most effective way to move money globally without traditional banking. Stablecoins like USDC are preferred because they’re pegged to the dollar and widely accepted. North Korean operators use decentralized exchanges, cross-border OTC brokers, and layered wallet structures to obscure the trail - but blockchain analytics are now making it harder to hide.
Phil Bradley
November 11, 2025 AT 09:18Okay but imagine being a dev in a startup and realizing your "remote junior" who always shows up to Zoom in a hoodie is actually a North Korean spy who’s been siphoning ETH since March. I mean… that’s not a glitch. That’s a Netflix series waiting to happen. And we’re just sitting here doing standups like nothing’s wrong.
Also, why are we still hiring people from "RemoteHub"? That platform looks like it was coded in 2012.
Also also - I just checked my LinkedIn. My "friend" from Ukraine who posted about "work-life balance" last week? His profile pic is the same guy who got sanctioned last month. 😳
Stephanie Platis
November 12, 2025 AT 18:00Let me be clear: this is not merely a cybersecurity issue-it is a sovereign violation, a flagrant disregard for international norms, and a direct assault on the integrity of the global financial system. The U.S. government’s response, while commendable, is insufficient. We must impose secondary sanctions on all entities that facilitate these transactions-even indirectly. Furthermore, every freelance platform that permits anonymous, unverified identities must be held legally accountable under the Digital Identity Accountability Act (proposed, 2024).
And before you say, "But what about privacy?"-privacy does not extend to state-sponsored cyber-theft. This is not a debate. It is a moral imperative.
Michelle Elizabeth
November 14, 2025 AT 00:27It’s wild how the regime’s been turning LinkedIn into a spy network. I mean, the fake bios are so… basic. Like, "Joshua Palmer, Full Stack Dev, loves hiking and tacos" - bro, you’re from Pyongyang, you’ve never seen a taco. And why do they all use the same three stock photos? One guy’s face is literally on 17 different profiles.
It’s like they hired a design intern from 2015 to build their cover identities. The irony? The more they try to blend in, the more they scream "I’M A SPY."
Joy Whitenburg
November 15, 2025 AT 05:14okay so i just read this whole thing and my brain is like… whoa.
so like… someone in your company could be a spy? and they’re getting paid in usdc? and then they just… quietly drain your wallet? like… over months? and no one notices?
my startup just hired 3 remote devs last month. i’m gonna check their githubs right now. and maybe do a reverse image search. and maybe cry a little. 😅
also… why is this not on the news more??
Kylie Stavinoha
November 16, 2025 AT 09:29There is a profound philosophical tension here: the very tools meant to empower decentralization and individual sovereignty-blockchain, crypto, anonymous identities-are being weaponized to sustain one of the most totalitarian regimes on Earth.
It is not merely a failure of regulation. It is a failure of our collective imagination. We built a system that prizes freedom, yet we neglected to ask: freedom for whom? And at what cost?
Perhaps the answer lies not in more sanctions, but in rebuilding trust-through verification, transparency, and accountability. Not as a constraint, but as a covenant.
Diana Dodu
November 17, 2025 AT 11:18Enough is enough. We’re letting a dictatorship fund its nukes with money stolen from American startups? That’s not just a hack-it’s an act of war. And the fact that we’re still letting Russian and Chinese companies act as middlemen? Pathetic.
If you’re running a crypto firm and you didn’t screen your devs properly, you deserve to lose your license. Period. No excuses. No "I didn’t know." You’re not a victim-you’re negligent. And if you’re in the UAE or Russia? You’re complicit. Get sanctioned. Get blacklisted. Get out of the game.
This isn’t politics. It’s survival.
Raymond Day
November 17, 2025 AT 13:19Y’all need to wake up. This isn’t just North Korea. This is the new Cold War, and crypto is the battlefield. They’re not just stealing money-they’re stealing our future.
Look at the wallet addresses. Look at the patterns. They’re using the same tricks since 2021. Why haven’t the exchanges blocked them yet? Because they’re making too much money off the volume.
And don’t even get me started on how the UAE just shrugs and says "We’re neutral." Neutral? Bro, you’re laundering nuclear cash.
😭 I’m so done with this world.
Noriko Yashiro
November 17, 2025 AT 13:56Interesting piece, but I think we’re missing the bigger picture: this isn’t just about sanctions. It’s about the global gig economy being exploited. People in developing nations are being recruited as "IT freelancers" without knowing they’re being used as fronts. The real villains aren’t always the ones on the list-they’re the middlemen who profit from ignorance.
We need ethical hiring standards, not just blacklists. Let’s fix the system, not just punish the symptoms.
Atheeth Akash
November 17, 2025 AT 21:30Very informative. I work in tech in India and we often hire remote devs from everywhere. This makes me rethink our onboarding process. Maybe we should add blockchain screening as part of our HR checklist. Good reminder that trust must be verified, not assumed.
Thank you for sharing.
James Ragin
November 19, 2025 AT 11:32Let me ask you this: what if the entire crypto ecosystem is a controlled demolition? What if OFAC’s "sanctions" are just theater? What if the real goal is to consolidate control under a single blockchain ledger? Who benefits from all this chaos? Who owns the blockchain analytics firms? Who owns the exchanges? Who owns the FBI’s contractors?
They’re not stopping North Korea. They’re creating a system where only the state can track transactions. And then… they’ll call it "security."
Wake up. This isn’t about weapons. It’s about control.
Michael Brooks
November 20, 2025 AT 01:27Real talk: if you’re a crypto startup and you’re hiring freelancers without background checks, you’re playing Russian roulette with your company’s assets.
Here’s what you do:
1. Use Chainalysis or TRM to screen all wallet addresses.
2. Require video interviews with screen sharing.
3. Check GitHub commit history for consistency.
4. Don’t trust LinkedIn bios.
5. Flag anyone who moves stablecoins to non-custodial wallets within 24 hours.
It’s not hard. It’s just not optional anymore.
David Billesbach
November 21, 2025 AT 04:23Of course they’re using fake identities. That’s the whole point. The West is so obsessed with "openness" and "freedom" that we’ve turned ourselves into a honey trap. North Korea doesn’t need to break in-they just walk through the front door with a LinkedIn profile and a fake resume.
And now we’re surprised? We’ve been handing them the keys since 2018.
Meanwhile, the Chinese companies? They’re not just fronts-they’re training academies. They’re teaching kids to become digital ninjas. And we’re still letting them operate in free zones like Shenzhen and Dubai.
This isn’t a cyberattack. It’s a cultural infiltration. And we’re the ones who let it happen.
Andy Purvis
November 22, 2025 AT 11:03Maybe we’re thinking about this all wrong. Instead of just punishing people, what if we built better tools for honest companies to protect themselves? What if platforms like Upwork and RemoteHub had mandatory identity verification powered by blockchain? What if every hire came with a verified digital passport?
It’s not about distrust. It’s about building systems that work for everyone.
FRANCIS JOHNSON
November 22, 2025 AT 15:41This is the moment crypto grew up.
Remember when we thought decentralization meant no rules? No oversight? No consequences?
Well, here’s the truth: freedom without responsibility is chaos. And chaos is what tyrants thrive in.
North Korea didn’t beat us with missiles. They beat us with a laptop and a fake profile.
But now? Now we’re fighting back-with blockchain analytics, international cooperation, and a collective will to protect the future.
This isn’t the end. It’s the beginning of something better.
💪🌍
Ruby Gilmartin
November 23, 2025 AT 14:34Let’s be brutally honest: 90% of these "crypto startups" are barely functional. They hire devs from random platforms because they can’t afford real engineers. So of course North Korea is targeting them. It’s not a hack-it’s a low-hanging fruit operation.
And the fact that OFAC is sanctioning OTC brokers in Moscow? That’s just theater. The real money’s moving through private Telegram groups and shell companies in the Seychelles.
You’re all missing the point. This isn’t about sanctions. It’s about systemic incompetence.
Douglas Tofoli
November 25, 2025 AT 08:37bro i just realized my buddy who works at a web3 firm got hired through fiverr and he’s from "ukraine" but his profile pic is the same guy from that OFAC list 😳
im gonna send him this article and hope he doesnt ghost me
also why is usdc so popular for this?? its like they know it’s the easiest to move without raising flags
William Moylan
November 25, 2025 AT 22:39They’re not even trying to hide anymore. Look at the names-"Kim Ung Sun"? "Korea Sinjin Trading"? That’s not stealth. That’s a middle finger to the West.
And the UAE? Dubai is basically a crypto mafia hub. They’re not even pretending anymore. They’re just moving the money through different wallets and calling it "compliance."
And the worst part? The U.S. government is still letting them. Why? Because the banks are too big to touch.
This isn’t about North Korea. It’s about the entire global financial system being rigged.
Debraj Dutta
November 26, 2025 AT 10:44This is a serious issue. In India, many IT firms outsource to Eastern Europe and Southeast Asia. We must ensure our vendors are vetted properly. This is not just a U.S. problem-it’s a global supply chain vulnerability.
Thank you for highlighting the technical details. Very useful for compliance teams.
tom west
November 27, 2025 AT 06:50Let’s cut through the noise. The U.S. government has spent billions on sanctions, blockchain analytics, and international coalitions-and yet, North Korea is still stealing $2 billion a year. That’s not a failure of technology. That’s a failure of political will.
Why aren’t we sanctioning the Russian banks that process the cash? Why aren’t we shutting down the Chinese data centers that host the fake dev operations? Why are we still allowing UAE exchanges to operate without KYC?
Because the real power players don’t want to disrupt the flow. The sanctions are performative. The theft? It’s systemic.
And you’re all just commenting on Reddit like it’s a movie.
dhirendra pratap singh
November 27, 2025 AT 11:53OMG this is wild!! I just saw a video of a guy on YouTube who said he got hired as a "blockchain dev" from North Korea and they paid him in BTC!! He thought he was working for a startup in Texas!!
AND THEN HE GOT A MESSAGE FROM THE FBI??
LIKE WHAT EVEN IS REAL ANYMORE?? 😭
Also, I bet the CIA is using this to plant spies in crypto firms too. Who’s to say it’s not both sides??
WE’RE ALL BEING PLAYED.
Ashley Mona
November 28, 2025 AT 23:08Actually, this is a great opportunity for crypto firms to level up their security game. Most startups are so focused on growth they forget about basic ops. This is the push they need.
Here’s a simple checklist I use for remote hires:
- Video call with screen share
- GitHub history check (at least 6 months)
- Wallet address screening via TRM
- Cross-check LinkedIn with reverse image search
It takes 2 hours. And it could save you millions.
Don’t wait for a breach to act.
Edward Phuakwatana
November 29, 2025 AT 13:14Think of it this way: North Korea turned the decentralized web into a centralized weapon. They exploited the open nature of crypto to build a state-run, global theft pipeline. And the irony? They didn’t need to hack the blockchain-they hacked the humans.
The real vulnerability isn’t in the code. It’s in the trust we place in profiles, resumes, and remote workers.
Now we’re forced to build identity systems that are verifiable, transparent, and immutable. That’s not a setback-it’s the next evolution of Web3.
Suhail Kashmiri
November 30, 2025 AT 12:53bro this is why i dont trust crypto anymore. everyone’s a scammer. even the devs. even the startups. even the "legit" companies. if you’re not from a top school or you don’t have a visa, you’re a spy. or a scam. or both.
just give me cash in envelopes. at least i know who’s handing it to me.
Kristin LeGard
December 1, 2025 AT 17:07Oh my god, so now we’re supposed to vet every freelancer like they’re a CIA agent? And if you don’t? You get fined? This is ridiculous. We’re turning the internet into a police state.
Next thing you know, they’ll require fingerprint scans for Coinbase accounts.
Who’s next? The Russians? The Chinese? The Iranians? Are we gonna sanction every country that has a single bad actor?
This isn’t security. It’s paranoia with a government stamp.
Arthur Coddington
December 3, 2025 AT 08:03Wow. So North Korea is using crypto to fund nukes. Big surprise. Meanwhile, I’m over here trying to get my Dogecoin whale to send me a moon. 🌕
Anyway, I’m gonna go back to ignoring all of this. My portfolio’s doing fine. And I’m pretty sure my "remote dev" is just a guy from Poland who likes tacos.
Elizabeth Stavitzke
December 4, 2025 AT 18:04Of course they’re using fake identities. The West is so obsessed with "diversity" and "inclusion" that we’ve turned hiring into a lottery. Anyone with a decent English resume gets a job. No background. No verification. Just vibes.
And now we’re shocked that a regime with a 99% surveillance state can exploit our naivety?
This isn’t a cyberattack. It’s a cultural collapse.
Ainsley Ross
December 6, 2025 AT 09:03This is a sobering reminder that technology is never neutral. The same tools that empower artists, entrepreneurs, and activists can also be used to fund oppression.
But I believe in the resilience of community. The fact that blockchain analysts, journalists, and governments are working together across borders? That’s hope.
We’re not powerless. We’re just waking up.
Let’s build systems that honor both freedom and responsibility.
🕊️
Brian Gillespie
December 7, 2025 AT 03:27Good summary. I’ve seen this play out in small startups. One guy, quiet, always online, never talks about his past. Then one day, his wallet gets flagged. Boom.
Just verify. Don’t assume.
Phil Bradley
December 7, 2025 AT 04:33Wait, I just checked my Slack. One of my devs just sent a message saying "Hey, I’m moving my USDC to a new wallet today."
That’s… not normal. I’m calling him in 5 minutes.
Also, his profile pic? Same guy from the OFAC list. I think I’m gonna throw up.
Michael Brooks
December 8, 2025 AT 20:37That’s exactly why you need automated wallet screening. Don’t wait for Slack messages. Set up alerts. If any employee wallet moves >$5k in stablecoins within 24 hours, flag it.
Also, check their GitHub commits. If they only pushed code on weekends and never during work hours? Red flag.
Don’t panic. Just act.
Edward Phuakwatana
December 9, 2025 AT 20:05And if you’re the dev who got flagged? Don’t panic either. Just request a review. If you’re legitimate, your history will speak for itself.
The goal isn’t to distrust everyone. It’s to build systems that protect the good while exposing the bad.
We can do this.
FRANCIS JOHNSON
December 10, 2025 AT 17:47One day, we’ll look back at this moment and say: "That’s when we stopped treating crypto like a wild west and started treating it like infrastructure."
And we’ll be proud.
💙