The United States Department of the Treasury took decisive action on November 4, 2025, sanctioning eight individuals and two entities connected to the Democratic People’s Republic of Korea (DPRK) for their alleged roles in laundering proceeds from cybercrime and fraudulent IT worker schemes through cryptocurrency networks. The sanctions represent one of the most significant enforcement actions targeting North Korean crypto-enabled financial crimes in recent years.
TL;DR
- Treasury’s OFAC sanctioned 8 individuals and 2 entities linked to DPRK cybercrime and IT worker fraud
- 53 cryptocurrency addresses tied to North Korea’s Cheil Credit Bank were added to the SDN list
- The sanctions target networks laundering stolen crypto proceeds and funneling funds back to Pyongyang
- OFAC simultaneously updated Belarus-related general licenses affecting certain blocked aircraft transactions
- Compliance teams worldwide must now screen against the newly designated addresses and individuals
The Scope of the Sanctions
The Office of Foreign Assets Control (OFAC) added the sanctioned individuals to its Specially Designated Nationals and Blocked Persons (SDN) List, effectively freezing any assets they hold under U.S. jurisdiction and prohibiting American persons from engaging in transactions with them. Among those designated are operatives connected to Cheil Credit Bank, a North Korean financial institution that has long been suspected of facilitating the regime’s access to international financial systems through illicit channels.
Blockchain analytics firm Elliptic confirmed that OFAC listed 53 cryptocurrency addresses associated with Cheil Credit Bank and the sanctioned individuals, spanning multiple blockchains including Bitcoin, Ethereum, and various stablecoin networks. The breadth of the designations underscores the extent to which North Korean operatives have embedded themselves within the decentralized finance ecosystem to move and launder stolen funds.
How the Laundering Networks Operate
According to Treasury’s press release, the sanctioned individuals were involved in two primary schemes. The first involves laundering proceeds from cybercrime — including the notorious cryptocurrency heists attributed to North Korean hacking groups such as Lazarus Group. After stealing digital assets from exchanges, DeFi protocols, and bridge platforms, the operatives move funds through a complex web of wallets, mixers, and cross-chain bridges to obscure the trail before converting them into fiat currency.
The second scheme involves the DPRK’s IT worker program, in which North Korean nationals pose as freelance developers and tech professionals on platforms like Upwork and Toptal. These workers generate significant revenue — estimated in the hundreds of millions of dollars annually — which is then laundered through crypto payment channels and routed back to the North Korean government. The sanctioned individuals allegedly played key roles in managing the financial infrastructure that enables this revenue stream.
Implications for Crypto Compliance
The addition of 53 new crypto addresses to the SDN list creates immediate compliance obligations for cryptocurrency exchanges, custodians, and other virtual asset service providers (VASPs). Under U.S. law, these entities must screen transactions against the SDN list and block any funds associated with sanctioned addresses. Failure to do so can result in severe penalties, including civil fines of up to $356,000 per violation under OFAC’s enforcement framework.
Major exchanges are expected to update their transaction monitoring systems within hours to flag any interactions with the newly designated addresses. Blockchain analytics companies including Chainalysis, Elliptic, and TRM Labs have already incorporated the new designations into their screening tools, enabling real-time detection of potential sanctions violations.
A Pattern of Escalating Enforcement
This action follows a series of increasingly aggressive enforcement moves by U.S. authorities against North Korean crypto-enabled financial crime. Earlier in 2025, the FBI and Treasury jointly exposed several crypto addresses linked to the TraderTraitor campaign, a social engineering operation that targeted employees at decentralized finance companies. The November 4 sanctions build on that work by targeting the financial infrastructure — the bankers and institutions — that make these schemes possible at scale.
The timing is also notable, coming just days before the Treasury closed the GENIUS Act comment period on the same day, signaling that the U.S. government is simultaneously building regulatory frameworks for legitimate stablecoin activity while aggressively pursuing bad actors who exploit digital assets for sanctions evasion and money laundering.
Why This Matters
Treasury’s sanctions against North Korean crypto laundering networks demonstrate that the United States is not waiting for comprehensive crypto regulation to be finalized before wielding its existing enforcement tools. The designation of 53 cryptocurrency addresses sends a clear message to both bad actors and the platforms that serve them: the blockchain is not an anonymous safe haven, and the U.S. government has the technical capability and legal authority to trace, freeze, and sanction illicit digital asset flows. For the crypto industry, these actions reinforce the urgency of robust compliance programs — not just as a regulatory checkbox, but as a fundamental requirement for operating in an environment where geopolitical enforcement increasingly intersects with decentralized finance.
Disclaimer: This article is for informational purposes only and does not constitute financial, legal, or investment advice. Sanctions compliance is a complex legal area, and readers should consult qualified professionals for guidance specific to their circumstances.
53 crypto addresses across multiple chains is a significant number. Cheil Credit Bank has been on the radar for years, but this is the first time we have seen such a broad designation covering Bitcoin, Ethereum, and stablecoin networks simultaneously. Compliance teams are going to be scrambling to update their screening tools.
Interesting perspective on IT worker fraud. The FBI estimates North Korea has placed thousands of tech workers in remote positions globally. Their salaries get converted to crypto and sent through mixing services before reaching Pyongyang. Sanctioning addresses is reactive; preventing the initial hiring is the harder problem.
The IT worker fraud angle is the part that gets less attention but is arguably more damaging. North Korea has been planting operatives in remote tech jobs for years, funneling salaries back to Pyongyang. Sanctioning the individuals behind it is a start, but the crypto laundering layer makes enforcement incredibly difficult.
Great analysis, thanks for sharing this perspective.
Every time OFAC adds addresses to the SDN list, exchanges have hours to implement screening or face massive penalties. The multi-chain nature of these 53 addresses is what concerns me most. Some DeFi protocols have no idea if their users are interacting with sanctioned wallets. That gap needs closing.