North Korean (DPRK) state-linked cyber actors have stolen and laundered billions of dollars (primarily cryptocurrency) using a global ecosystem of hackers, shell companies, front banks, proxy individuals and third-country financial institutions. DPRK actors steal the crypto and consolidate proceeds into mixing/tumbling services, privacy coins, chain-hopping, and controlled wallets.
Proceeds are converted to fiat currency via: (1) complicit or negligent banks and correspondent networks in third countries, (2) front companies that invoice or funnel payments, (3) casinos and cash-intensive businesses, and (4) proxy individuals (including recruited or coerced foreign nationals).
In addition, DPRK IT workers are located all around the world, obfuscating their nationality and identities.
There is a long history of DPRK cybercrime. Since the late 2000s, early DPRK operations mainly involved military and political espionage. However, by the 2013-2014 period, focused cyberattacks on South Korean government agencies, media, and banks caused widespread system outages. After the 2014 DPRK attack on Sony Pictures, global awareness of the problem grew rapidly. In the 2015-2017 period, the DPRK shifted toward raising foreign currency via cyber operations due to international sanctions tightening as well as cash shortages within the regime.
At this point, DPRK cyber operations are viewed as state-backed revenue generation which are integrated into the regime’s economy, not an auxiliary tool. DPRK laundering methods are evolving rapidly. Western allies monitoring the situation have documented systematic use of Chinese/Russian third-country banks, shell firms, and proxy networks to cash out and move funds.
Pyongyang reacted harshly to the new U.S. sanctions. “Now that the present U.S. administration has clarified its stand to be hostile towards the DPRK to the last, we will also take proper measures to counter it with patience for any length of time,” read a statement by North Korea’s Vice Foreign Minister Kim Un-chol released on November 6.
Washington acts
In its latest action, on November 4 the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned eight individuals and two entities for laundering funds derived from a variety of illicit Democratic People’s Republic of Korea (DPRK) schemes, including cybercrime and information technology (IT) worker fraud.
See also U.S. sanctions malicious North Korean and Russian cyber actors which explains the sanctions actions announced on July 8.
Begin Treasury Department media release:
Treasury Sanctions DPRK Bankers and Institutions Involved in Laundering Cybercrime Proceeds and IT Worker Funds
Today (November 4), the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned eight individuals and two entities for their role in laundering funds derived from a variety of illicit Democratic People’s Republic of Korea (DPRK) schemes, including cybercrime and information technology (IT) worker fraud.
“North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley. “By generating revenue for Pyongyang’s weapons development, these actors directly threaten U.S. and global security. Treasury will continue to pursue the facilitators and enablers behind these schemes to cut off the DPRK’s illicit revenue streams.”
As highlighted in the recent Multilateral Sanctions Monitoring Team report titled Multilateral Sanctions Monitoring Team report titled “The DPRK’s Violation and Evasion of UN Sanctions Through Cyber and Information Technology Worker Activities,” this malicious activity poses continuing threats to the United States and the international community, as these operations have been linked to the funding for the DPRK’s weapons of mass destruction (WMD) programs and destruction of physical computer equipment.
Key enablers of DPRK cybercrime and IT workers
The Government of the DPRK relies on a broad range of illicit activity, including cybercrime, to generate revenue for its WMD and ballistic missile programs and explicitly tasks its hackers to raise revenue using illicit methods. DPRK cyber actors are responsible for conducting high-level cyber-enabled espionage, disruptive cyberattacks, and financial theft at a scale unmatched by any other country. Over the past three years, North Korea-affiliated cybercriminals have stolen over $3 billion, primarily in cryptocurrency, often using sophisticated techniques such as advanced malware and social engineering.
In addition, DPRK IT workers are located all around the world, obfuscating their nationality and identities. They earn hundreds of millions of dollars per year by engaging in a wide range of IT development work by obfuscating their nationality with false or stolen identities when they seek employment contracts and create accounts on freelance work websites. In some instances, DPRK IT workers engage other foreign freelance programmers to establish business partnerships. They collaborate with these non-North Korean freelance workers on projects which were originally commissioned to those workers and split the revenue.
Jang Kuk Chol (Jang) and Ho Jong Son are North Korean bankers who have helped manage funds, including $5.3 million in cryptocurrency, on behalf of OFAC-designated First Credit Bank. A portion of these funds can be linked to a DPRK ransomware actor that has previously targeted U.S. victims and handled revenue from DPRK IT workers.
Today, OFAC designated Jang and Ho Jong Son pursuant to E.O. 13694, as amended by E.O. 13757, E.O. 14144, and E.O. 14306 (“E.O. 13694, as further amended”), for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a cyber-enabled activity identified in section l(a)(ii)(D) of E.O. 13694, as further amended. OFAC also designated Jang and Ho Jong Son pursuant to E.O. 13810 for being North Korean persons, including North Korean persons that have engaged in commercial activity that generates revenue for the Government of North Korea or the Workers’ Party of Korea. OFAC is also updating the SDN List entry for First Credit Bank to highlight its cryptocurrency addresses and activity. Please find more information here.
Korea Mangyongdae Computer Technology Company (KMCTC) is an IT company based in North Korea that operates IT worker delegations from at least two cities in China, Shenyang and Dandong. KMCTC IT workers have used Chinese nationals as banking proxies in order to obfuscate the origin of funds generated by the DPRK IT workers’ illicit revenue generation schemes. U Yong Su is the current president of KMCTC.
Today, OFAC designated KMCTC pursuant to E.O. 13810 for operating in the information technology industry in North Korea and designated U Yong Su pursuant to E.O. 13810 for being owned or controlled by, or having acted or purported to act for or on behalf of, directly or indirectly, KMCTC, a person whose property and interests in property are blocked pursuant to E.O. 13810.
Sanctions evasion networks
The DPRK relies on a vast network of internationally located representatives of DPRK financial institutions who provide access to international markets and financial systems, allowing the DPRK to launder revenue generated through illicit financial activities, including fraudulent IT work, heists of digital assets, and sanctions evasion schemes, in support of its WMD and ballistic missile programs. This network is comprised of banking representatives, financial institutions, and shell companies located in North Korea and internationally, including in China and Russia.
Ryujong Credit Bank is a North Korea-based financial institution that has provided financial assistance in sanctions avoidance activities between China and North Korea. These activities have included the remittance of North Korea’s foreign currency earnings, money laundering, and financial transactions for overseas North Korean workers.
Today, OFAC designated Ryujong Credit Bank pursuant to E.O. 13810 for operating in the financial services industry in North Korea.
Ho Yong Chol, Han Hong Gil (Han), Jong Sung Hyok (Jong), Choe Chun Pom (Choe) and Ri Jin Hyok (Ri) are China or Russia-based North Korean representatives of DPRK financial institutions. Ho Yong Chol has helped to facilitate the transfer of over $2.5 million in U.S. dollars (USD) and Chinese yuan (CNY) on behalf of U.S.-designated Korea Daesong Bank, while also managing transactions worth over $85 million in USD on behalf of another DPRK government affiliated group. Han is an employee of the U.S.-designated Koryo Commercial Bank (KCB) and has coordinated over $630,000 in both USD and CNY worth of transactions on behalf of the U.S.-designated Ryugyong Commercial Bank. Jong is the chief representative of the U.S.-designated DPRK Foreign Trade Bank (FTB) in Vladivostok, Russia. Choe is a representative of the U.S.-designated Central Bank of the DPRK (DPRK Central Bank) who has facilitated transactions worth over $200,000 in USD and CNY, while also having coordinated travel for Russian officials to visit Pyongyang, North Korea. Ri is a representative of the FTB and has facilitated transactions on behalf of a FTB front company worth over $350,000 in USD, CNY, and euros.
Today, OFAC designated Ho Yong Chol pursuant to E.O. 13551 for being owned or controlled by, or having acted or purported to act for or on behalf of, directly or indirectly, Korea Daesong Bank, a person whose property and interests in property are blocked pursuant to E.O. 13551; Han pursuant to E.O. 13810 for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, KCB, an entity whose property and interests in property are blocked pursuant to E.O. 13810; Jong and Ri pursuant to E.O. 13722 for being owned or controlled by, or having acted or purported to act for or on behalf of, directly or indirectly, FTB, a person whose property and interests in property are blocked pursuant to E.O. 13722; and Choe pursuant to E.O. 13722 for being owned or controlled by, or having acted or purported to act for or on behalf of, directly or indirectly, DPRK Central Bank, a person whose property and interests in property are blocked pursuant to E.O. 13722.
The United States strongly condemns the activities of forces associated with the DPRK, including those supporting the DPRK’s WMD and ballistic missile programs in violation of multiple UN Security Council resolutions (UNSCRs) and enabling associated sanctions evasion activities. As described in the October 22 report issued by the Multilateral Sanctions Monitoring Team (MSMT), “The DPRK’s Violation and Evasion of UN Sanctions Through Cyber and Information Technology Worker Activities,” the DPRK’s malicious cyber activities and generation of revenue to fund its unlawful WMD and ballistic missile programs through cybercrime including cryptocurrency heists and overseas IT work pose a threat to our citizens, international security and the global digital economy. Today, the United States is imposing sanctions to reaffirm our commitment to hold accountable those who target our citizens and benefit the DPRK’s unlawful weapons programs. We stand alongside the other MSMT participating states in remaining committed to strengthening collective resilience against such threats.
Sanctions Implications
As a result of today’s action, all property and interests in property of the designated persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons.
In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from any such person.
Click here for more information on the individuals and entities designated today.
End text.
