Today, the Treasury’s Office of Foreign Assets Control is taking action to stop individuals and entities that are enabling the Democratic People’s Republic of Korea (DPRK) IT worker schemes.
The DPRK generates significant revenue for its WMD and ballistic missile programs by…
All US assets tied to them—and to the four Russian entities named—are now frozen. That means Americans can’t make payments or open accounts linked to those sanctioned parties without risking civil or criminal penalties.
North Korea’s IT workforce now numbers in the thousands. Most are based in China and Russia, but they apply for jobs at firms in wealthier countries via mainstream and niche recruiting sites.
According to OFAC, the aim is to raise cash for ballistic missile work by embedding skilled coders inside target firms. It’s a model that spreads risk and makes detection harder than a single big attack.
A recent Google study found that this kind of scheme has gone global. While elaborate hacks still grab headlines, state‑aligned groups are increasingly banking on deception.
That involves stealing data and posing as trusted workers rather than breaking into servers from the outside. It’s quieter. It’s often cheaper. And it can keep running for years before anyone notices.
Blockchain‑intelligence firm TRM Labs reports that North Korea‑linked actors were behind about $1.6 billion of the $2.1 crypto stolen across 75 crypto hacks and exploits in the first half of 2025.
It’s a huge chunk. TRM Labs warns that while big exchange breaches still happen, a growing share of revenue now comes from these false‑identity worker schemes.
Featured image from Getty Images, chart from TradingView