On May 23, 2023, the cryptocurrency security landscape shifted significantly as the U.S. Treasury’s Office of Foreign Assets Control (OFAC) and South Korea’s Ministry of Foreign Affairs jointly announced sanctions against several entities tied to North Korean hacking operations. The move targeted organizations responsible for some of the largest cryptocurrency thefts in history and exposed the sophisticated infrastructure behind state-sponsored crypto crime.
The Exploit Mechanics
The sanctioned entities include the 110th Research Center and its parent agency, the Technical Reconnaissance Bureau. These organizations oversee hacking units such as the notorious Lazarus Group, which has been linked to billions of dollars in stolen cryptocurrency over the past several years. OFAC confirmed that the 110th Research Center was behind the 2013 DarkSeoul malware attack on South Korean government agencies, validating long-held suspicions within the cybersecurity community.
The operation relies on a dual-pronged approach. First, dedicated hacking units breach cryptocurrency exchanges, DeFi protocols, and bridge services using sophisticated attack vectors including supply chain compromises, social engineering, and smart contract exploits. Second, a network of government-controlled IT firms places North Korean workers in overseas technology companies—including crypto businesses—where they collect salaries paid in cryptocurrency and funnel the proceeds back to support weapons development programs.
One such firm, Chinyong Information Technology Cooperation Company, operated through an employee named Sang Man Kim out of Vladivostok, Russia. OFAC identified six cryptocurrency addresses associated with Kim, all of which were deposit addresses at a major cryptocurrency exchange. Between 2021 and 2022, these addresses received over $28 million worth of cryptocurrency, including Bitcoin, Ethereum, Tether, and USDC, flowing through a complex web of mixers, DeFi protocols, and intermediary wallets.
Affected Systems
The sanctions highlight the breadth of North Korean operations targeting the crypto ecosystem. The Lazarus Group, operating under the 110th Research Center, has been implicated in attacks on centralized exchanges, decentralized finance protocols, cross-chain bridges, and individual wallet holders. The group has exploited vulnerabilities in smart contract code, leveraged flash loans for price manipulation, and used sophisticated laundering techniques including Tornado Cash and cross-chain bridges to obfuscate stolen funds.
At the time of the sanctions announcement, Bitcoin was trading at approximately $27,225 and Ethereum at $1,854, reflecting a market that had partially recovered from the turmoil of 2022 but remained vulnerable to large-scale exploits. The sanctioned addresses, while no longer active at the time of designation, had already moved significant volumes through the ecosystem during their operational period.
The Mitigation Strategy
OFAC’s sanctions serve as both a punitive measure and a deterrent, but they also carry practical implications for the crypto industry. Compliance teams at exchanges and DeFi protocols must screen against the newly sanctioned addresses, and any platform that has interacted with these wallets faces potential legal exposure. The inclusion of specific cryptocurrency addresses in the sanctions designation represents a growing trend of on-chain enforcement actions.
For individual users and institutions, the sanctions underscore the importance of robust compliance tools. Blockchain analytics platforms like Chainalysis played a key role in tracing the activity of the sanctioned addresses, demonstrating how on-chain surveillance can complement traditional financial intelligence. Platforms should implement transaction monitoring systems that flag interactions with sanctioned wallets and maintain audit trails for regulatory compliance.
Lessons Learned
The coordinated action between the United States and South Korea signals a new era of international cooperation in combating crypto-related cybercrime. Several key takeaways emerge from this enforcement action. First, state-sponsored hacking groups remain the most sophisticated threat to cryptocurrency security, with resources and patience far exceeding those of independent attackers. Second, the dual approach of hacking and IT worker infiltration creates multiple vectors that the industry must address simultaneously. Third, the inclusion of specific on-chain addresses in sanctions demonstrates that regulators are becoming increasingly adept at navigating the blockchain ecosystem.
The fact that Kim’s addresses processed over $28 million through mainstream exchanges also raises questions about the effectiveness of existing Know Your Customer and Anti-Money Laundering procedures. Despite operating for over a year, the activity was only disrupted after the sanctions announcement, suggesting that current compliance frameworks may not be sufficient to detect state-sponsored laundering operations.
User Action Required
Cryptocurrency users and businesses should take immediate steps in response to these sanctions. Verify that your exchange or platform has updated its compliance screening to include the newly designated addresses. If you operate a business that accepts cryptocurrency payments, ensure your transaction monitoring tools can detect interactions with sanctioned wallets. Consider using blockchain analytics services to audit your own wallet history for any exposure to the identified addresses. Stay informed about future sanctions updates, as the Treasury has indicated that additional designations targeting North Korean crypto operations are likely. Finally, maintain heightened security practices including hardware wallet usage, multi-factor authentication, and regular security audits to protect against the sophisticated attack vectors employed by state-sponsored groups.
This article is for informational purposes only and does not constitute financial or legal advice. Always consult with qualified professionals for compliance and security decisions.
Lazarus has been running rampant for years and OFAC sanctions are basically a speed bump. The 110th Research Center was literally behind DarkSeoul in 2013 and they just kept escalating.
Agreed, though the joint action with South Korea is at least a step beyond unilateral US sanctions. Sharing intel between agencies could actually disrupt some of the cash-out networks.
lazarus went from darkseoul malware in 2013 to sophisticated bridge exploits. the evolution of state sponsored crypto crime is terrifying
went from wiping hard drives with DarkSeoul to exploiting cross-chain bridge smart contracts. the technical evolution in 10 years is staggering. state resources + crypto expertise is a terrifying combo
Pedro V. DarkSeoul to Ronin bridge in less than 10 years. state funded labs reverse engineering smart contracts with unlimited budget. protocol security has to evolve faster
exactly. OFAC designations are performative against state actors. the only real defense is better protocol level security and bridge auditing
billions stolen and these are just the attacks we know about. the unreported stuff through mixers and cross-chain bridges is probably way worse
the dual prong approach of exchange breaches plus DeFi exploits is textbook asymmetric warfare. north korea has basically built a crypto funded weapons program
crypto funded weapons program is exactly right. UN estimates NK stole over 3 billion in crypto to fund missile development
the UN panel estimated NK stole $3B+ in crypto by end of 2023. that funds roughly half their missile program. crypto security isnt just about protecting individual wallets anymore
sigint_crypto the UN estimate of $3B is probably low. chainalysis traced about $640M from Harmony bridge alone to DPRK wallets in 2022. one attack
OFAC sanctions are symbolic against a nation state that already cant use the traditional banking system. the real defense is bridge audits and on-chain forensics