US Treasury Sanctions North Korean Fraud Mastermind, 21 Cryptocurrency Addresses Frozen

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced on Thursday sanctions against six individuals and two entities, accusing them of involvement in North Korea-planned IT personnel scam schemes, with the proceeds used to fund North Korea’s weapons development programs. The sanctioned networks operate simultaneously in North Korea, Vietnam, Laos, and Spain, and the sanctions list includes 21 cryptocurrency addresses on Ethereum and Tron.

Details of the Sanctioned Targets: Six Individuals and Two Entities

(Source: U.S. Department of the Treasury)

The OFAC sanctions target a comprehensive scam network structure:

Sanctioned Entities

Amnokgang Technology Development Company (North Korea): Alleged to manage and deploy North Korean IT staff overseas, serving as the core operational entity of the scam network.

Quangvietdnbg International Services Company Limited (Vietnam): Assisting in the operation of the scam network in Vietnam.

Sanctioned Individuals

Nguyen Quang Viet: CEO of Quangvietdnbg in Vietnam, accused of laundering $2.5 million through cryptocurrency for the scam network.

Do Phi Khanh, Hoang Van Nguyen, Hoang Minh Quang: Vietnamese nationals suspected of participating in the North Korea IT worker network.

Yun Song Guk: Alleged to have assisted in network operations.

York Louis Celestino Herrera: Accused of participating in the network operations from Spain.

Legal consequences of OFAC sanctions include the immediate freezing of all assets under U.S. jurisdiction, prohibiting any financial transactions or business dealings with the sanctioned parties within the U.S., and violators face civil and criminal penalties.

Operation Mode of North Korea IT Scams: Disguising as Legitimate Workers to Infiltrate Companies

Blockchain analysis firm Chainalysis stated on Thursday that the sanctions on multiple blockchain addresses “reflect North Korea’s increasingly multi-chain fund transfer methods”—they are no longer confined to a single blockchain but are simultaneously deploying fund transfer channels across multiple public chains.

Chainalysis pointed out that North Korea’s IT personnel scams “constitute a complex and increasingly serious threat.” Specifically, these networks operate by stealing or forging identities to secure jobs in legitimate companies worldwide—including blockchain and crypto firms—by posing as legitimate employees; after establishing trust, they secretly implant malware within company networks to steal proprietary technology and sensitive information; the proceeds are then laundered through cryptocurrency channels and ultimately flow back to North Korea.

A Google report from April 2025 also confirmed that this scam infrastructure has spread widely worldwide, no longer limited to specific regions, significantly increasing the difficulty of detection and prevention.

Crypto Companies’ Compliance Alerts

Chainalysis has provided specific recommendations for crypto firms: screen all counterparties against the latest OFAC sanctions list, be vigilant for employment patterns consistent with IT personnel scams, and continuously monitor for unusual payment behaviors.

Frequently Asked Questions

How do North Korea IT scam workers infiltrate crypto companies?

These scammers typically steal or forge identity documents to apply for positions as freelancers or remote employees at crypto, blockchain, and other tech companies. Their resumes, portfolios, and communication methods are carefully crafted to appear legitimate, sometimes only revealing malicious intent after interviews. Once inside company networks, they may steal code, implant malware, or leak sensitive technical information.

What is the practical impact of the 21 sanctioned crypto addresses?

Once addresses are listed on the OFAC sanctions list, individuals, entities, and companies within the U.S. (including crypto exchanges and service providers) are prohibited from engaging in any transactions with these addresses. Holding assets at these addresses or providing services to them could result in severe civil and criminal legal consequences. Most mainstream compliance tools automatically block interactions with sanctioned addresses.

How can potential North Korean IT scam employees be identified?

Suspicious signs include: requesting payment in cryptocurrency; using VPNs or proxies to hide real locations; inability to conduct video calls or exhibiting inconsistent behavior; requesting remote access beyond job responsibilities; and unusual working hours (possibly reflecting different time zones). Chainalysis recommends that companies establish enhanced due diligence processes for IT vendors and freelancers.