Sanctions Impact Calculator
Calculate Sanctions Impact
Estimate the scale of North Korean cryptocurrency theft and sanctions effectiveness based on current data from OFAC reports.
Estimated Impact
Critical Alert
According to TRM Labs, North Korean hackers stole over $2.1B in cryptocurrency in just 6 months. Sanctions have only slowed (not stopped) these operations. Businesses must screen contractors against OFAC's SDN list before making payments.
North Korea isn’t just building missiles-it’s stealing cryptocurrency to fund them. Since early 2025, U.S. officials have cracked down harder than ever on North Korean crypto networks tied to hacking, fraud, and money laundering. These aren’t random cybercriminals. They’re state-backed operatives working under the Workers’ Party of Korea, using fake identities, remote IT jobs, and blockchain loopholes to steal over $2.1 billion in crypto in just six months. The Office of Foreign Assets Control (OFAC) responded with a sweeping wave of sanctions, targeting not just hackers, but the entire pipeline that turns stolen digital assets into cash for weapons programs.
How North Korea Steals Crypto Through Fake IT Jobs
Here’s how it works: North Korea sends workers abroad-often to the U.S., Europe, and Southeast Asia-posing as freelance software developers or blockchain engineers. They apply to remote jobs at crypto startups, Web3 firms, and tech companies that rely heavily on gig platforms like Freelancer, RemoteHub, and CodeSandbox. Their resumes? Fabricated. Their identities? Stolen. Many use the same fake names across multiple platforms: ‘Joshua Palmer,’ ‘Alex Hong,’ ‘Liam Chen.’
Once hired, they do real work-writing code, fixing bugs, managing servers. But while they’re coding, they’re also mapping the company’s systems, stealing login credentials, and planting backdoors. When the time is right, they trigger ransomware attacks or quietly drain wallets. Some even get paid in stablecoins like USDC, which they then convert to cash through OTC brokers or centralized exchanges. The money flows through a maze of wallets, mixing services, and shell companies before reaching Pyongyang.
Security firms like TRM Labs and DTEX track these operations under names like Famous Chollima, Jasper Sleet, and UNC5267. These aren’t random hacker groups. They’re tightly coordinated units linked directly to North Korea’s military intelligence agencies. And they’re not just stealing-they’re learning. Every job application, every contract signed, every paycheck received is part of a long-term espionage and theft strategy.
The Sanctions That Hit the Money Trail
On August 27, 2025, OFAC dropped its biggest blow yet. It sanctioned Russian national Vitaliy Sergeyevich Andreyev, North Korean Kim Ung Sun, and two companies: Shenyang Geumpungri Network Technology Co., Ltd and Korea Sinjin Trading Corporation. These weren’t random names. Andreyev helped move crypto into U.S. dollars through cash transactions. Kim Ung Sun alone facilitated nearly $600,000 in transfers. The companies acted as fronts, laundering money through fake invoices and offshore accounts.
This wasn’t the first time. OFAC had already hit them in July 2025, and before that, in May 2023, they targeted Chinyong Information Technology Cooperation Company-a known hub for deploying North Korean IT workers across China, Laos, and Russia. Now, the list keeps growing. Korea Sobaeksu Trading Company and individuals like Kim Se Un, Jo Kyong Hun, and Myong Chol Min were added in October 2025 for helping evade sanctions and funneling cash to senior DPRK officials like Kim Sang Man and Sim Hyon Sop.
The Department of Justice didn’t just freeze accounts-they seized them. In June 2025, a civil forfeiture complaint in Washington, D.C., targeted over $7.7 million in crypto, NFTs, and digital assets tied to North Korean IT workers embedded in U.S. tech firms. The FBI and Homeland Security Investigations tracked wallet addresses, traced transactions across exchanges, and shut down key nodes in the laundering chain. They seized ETH, USDC, and even high-value NFTs that had been bought with stolen funds.
The Global Network Behind the Theft
North Korea doesn’t operate alone. Its crypto theft network spans continents. Russian and UAE-based servers host fake company websites. Chinese firms provide cloud infrastructure. Southeast Asian OTC brokers cash out the crypto. Each piece is legal on its own. Together, they form a sanctions-evasion machine.
Investigators found that many of the wallets used to receive stolen funds were linked to IP addresses in Moscow and Dubai. Some transactions passed through exchanges in Singapore and Hong Kong, where oversight is weaker. The use of stablecoins like USDC made it easier to move value quickly without triggering red flags. Once converted to cash, the money was funneled into North Korea through diplomatic channels, front companies, or even smuggled in physical bundles.
What’s scary is how hard it is to detect. These workers don’t steal from the company’s main wallet. They use personal accounts, fake freelance profiles, and third-party payment gateways. They’re not breaking into systems-they’re being paid to work inside them. Companies that hire remote freelancers without proper background checks are unknowingly helping the regime.
Why This Matters for Businesses and Users
If you run a crypto startup, hire remote developers, or use freelance platforms, you’re at risk. North Korea isn’t targeting banks or exchanges-they’re targeting you. The average company doesn’t screen freelancers for ties to sanctioned entities. But OFAC doesn’t care if you didn’t know. If you paid a worker who later turned out to be a DPRK operative, your business could be flagged for indirect exposure.
Even if you’re not a company, you’re still affected. Every dollar stolen from U.S. businesses goes toward missiles, nuclear warheads, and cyberwarfare tools. The same hackers who stole your employer’s crypto could be the ones launching ransomware attacks on hospitals, schools, or power grids. This isn’t abstract-it’s personal.
Blockchain analytics firms like TRM Labs now offer tools to screen contractors and payment recipients against OFAC’s sanctions list. But most small businesses don’t use them. They rely on LinkedIn profiles and GitHub portfolios. That’s not enough. Fake profiles are easy to make. Real identities are stolen. And the North Korean regime has spent years perfecting this deception.
What’s Next? More Sanctions, More Tracking
As of October 2025, OFAC and its partners are still uncovering new nodes in this network. More entities are expected to be added to the sanctions list in the coming months. Law enforcement is working with Japan, South Korea, and European allies to share intelligence and freeze assets abroad.
Blockchain tracking has improved. Wallets linked to known DPRK addresses are now flagged by major exchanges. Some platforms automatically block transactions from sanctioned IPs. But the hackers adapt. They use new wallets, new identities, new countries. The arms race continues.
What’s clear is that crypto isn’t just a financial tool anymore-it’s a weapon. And North Korea is using it better than most nation-states. The U.S. response isn’t just about punishment. It’s about disruption. By cutting off the money, they’re cutting off the missiles.
How to Protect Yourself
If you’re a business hiring remote workers:
- Use verified identity checks-not just resumes or GitHub profiles.
- Screen all payment recipients against the OFAC SDN list before transferring funds.
- Use blockchain analytics tools to flag suspicious wallet activity.
- Limit access to sensitive systems for contractors. Use role-based permissions.
- Require multi-factor authentication for all crypto wallets and admin accounts.
If you’re a crypto user:
- Don’t send funds to unknown wallets-even if they’re linked to a ‘trusted’ project.
- Use exchanges that comply with OFAC sanctions and screen for high-risk addresses.
- Be wary of too-good-to-be-true freelance gigs in crypto. Ask questions.
- Report suspicious activity to your exchange or to the FBI’s IC3 portal.
The threat isn’t going away. But awareness and action can stop you from becoming part of the problem.
Are North Korean hackers still stealing crypto in 2025?
Yes. As of October 2025, North Korean threat actors stole over $2.1 billion in cryptocurrency in the first half of the year alone, according to TRM Labs. Their operations are more sophisticated than ever, using fake IT jobs to infiltrate crypto companies and launder funds through global networks.
How does OFAC know who to sanction?
OFAC works with the FBI, Treasury’s Financial Crimes Enforcement Network (FinCEN), and blockchain analytics firms like TRM Labs to trace crypto transactions. They identify wallet addresses, link them to known DPRK operatives, and uncover the companies and individuals helping move the money. Once they have enough evidence, they add names to the Specially Designated Nationals (SDN) list.
Can I get in trouble if I unknowingly paid a North Korean hacker?
Possibly. OFAC enforces strict liability-meaning you can be penalized even if you didn’t know the person was sanctioned. That’s why businesses are now required to screen contractors and payment recipients against the OFAC list. Ignorance isn’t a defense. Use screening tools, keep records, and avoid paying into high-risk wallets.
What cryptocurrencies are North Koreans stealing the most?
Stablecoins like USDC and USDT are their top choice because they’re pegged to the U.S. dollar and easy to convert. They also steal ETH, BTC, and high-value NFTs. Once they have the crypto, they move it through mixers, decentralized exchanges, and OTC brokers to cash it out without raising alarms.
Are these sanctions working?
They’re slowing them down, not stopping them. The stolen amount dropped slightly in late 2025 after the August sanctions, but the attacks continue. The real win is visibility-now companies, exchanges, and governments can spot these patterns faster. The goal isn’t to eliminate every theft, but to make it too risky and expensive for North Korea to keep going.
Suhail Kashmiri
November 10, 2025 AT 17:02This is why I can't trust any remote dev anymore. I hired someone last year who "fixed my smart contract"-turned out they stole my entire wallet. No background checks, no verification, just a LinkedIn profile and a GitHub with 3 commits. North Korea isn't some distant threat-they're sitting in your Slack right now, pretending to be "Liam Chen" and asking if you use MetaMask. Wake up.
Kristin LeGard
November 10, 2025 AT 17:08Let me get this straight-we're sanctioning people who work for a country that's been starving for 30 years while we bomb half the planet? This isn't about security, it's about control. The U.S. sanctions everyone who doesn't bow to the dollar. If you're poor and smart, you're a threat. These hackers aren't monsters-they're kids with laptops trying to feed their families while the West hoards crypto like it's gold. Stop pretending this is moral.
Arthur Coddington
November 11, 2025 AT 21:19So we're treating crypto theft like it's a war crime? What's next? Sanctioning people who use VPNs? This whole thing feels like a performance. The real criminals are the VC firms that raised billions off NFT monkeys while ignoring the fact that half their devs are probably operating out of Pyongyang. We're not stopping hackers-we're just making them better at hiding. And honestly? I'm kind of impressed.
Phil Bradley
November 11, 2025 AT 22:06Think about it-these people aren't just stealing crypto. They're learning how the entire Western tech ecosystem works. Every job application, every code review, every Zoom call-they're mapping our infrastructure. It's like espionage, but with GitHub commits and Upwork profiles. And the scariest part? Most of them are just trying to get out. They're not evil. They're trapped. And we're the ones building the cage.
Stephanie Platis
November 12, 2025 AT 22:10Let’s be crystal-clear: OFAC’s actions are not only legally justified-they are morally imperative. The fact that you’re even entertaining the idea that these actors are "just trying to feed their families" reveals a dangerous moral relativism. These are not refugees; they are state-sponsored cyber-terrorists. Their work directly funds weapons of mass destruction. If you hire someone without verifying their identity against the SDN list, you are complicit. Period.
Michelle Elizabeth
November 14, 2025 AT 13:16It’s ironic, really. We built this whole decentralized dream to escape control… and now the most controlled regime on earth is using it better than we are. They don’t need banks. They don’t need borders. They just need a laptop, a fake LinkedIn, and a stablecoin. Meanwhile, we’re still arguing over whether to use MetaMask or Coinbase. We lost the future before we even realized we were fighting for it.