Treasury Cracks Down on Global Web of Sanctions Evasion for North Korea’s IT-Spy Schemes

The U.S. Department of the Treasury has imposed new sanctions against a network of individuals and entities supporting North Korea’s overseas IT worker operations, including a Russian national and a Chinese firm. The Office of Foreign Assets Control (OFAC) added Vitaliy Sergeyevich Andreyev, a Russian national, and several entities to its Specially Designated Nationals and Blocked Persons List for facilitating financial flows tied to the regime’s cryptocurrency schemes [1]. Andreyev is accused of working with a North Korean official, Kim Ung Sun, to convert over $600,000 in cryptocurrency into U.S. dollars since at least December 2024, a move that supports North Korea’s nuclear and missile programs [3].

Among the sanctioned entities, Shenyang Geumpungri Network Technology Co., Ltd. — a Chinese front company based in Shenyang, Liaoning — was identified as a facilitator for North Korean IT worker delegations. These workers operate under false identities and fraudulent documentation to infiltrate companies in the U.S. and other countries, eventually stealing data and demanding ransom [2]. The Chinese company was designated alongside the Korea Sinjin Trading Corporation, a North Korean entity tied to the country’s military and intelligence apparatus, for their roles in laundering and converting cryptocurrency into fiat currency [1].

The U.S. Treasury emphasized that these operations, which generate millions in revenue for the regime, represent a significant evasion strategy of global sanctions. North Korea has long exploited the employment of overseas workers — particularly in the IT sector — to generate illicit income, often bypassing traditional financial systems. The Treasury noted that these workers, once embedded in legitimate companies, often deploy malware to exfiltrate intellectual property or extort employers [4]. The latest sanctions follow a pattern of U.S. actions targeting similar schemes, including the prior designation of the Chinyong Information Technology Cooperation Company in 2024 [3].

Cryptocurrency remains a central tool in North Korea’s evasion strategy. OFAC identified a specific XBT cryptocurrency address linked to Andreyev, which TRM Labs is monitoring for behavioral overlap with other DPRK-linked networks [4]. The Treasury highlighted that these digital assets allow the regime to obscure the origin of funds, move value across borders, and continue its sanctioned weapons programs without immediate detection. The sanctioned entities and individuals are now subject to prohibitions on transactions with U.S. persons and institutions, reinforcing the administration’s stance against providing financial or logistical support to North Korea [1].

The U.S. has increasingly focused on tracing and disrupting the financial infrastructure that enables these operations. Recent enforcement actions include targeting coin mixing services and front companies that help launder stolen crypto. While the Trump administration has shifted away from sanctioning decentralized services, the Justice Department recently secured a conviction against a co-founder of Tornado Cash for illegal money transmission, signaling a more targeted enforcement approach [2]. These actions underscore the complexity of North Korea’s evasion networks and the U.S. government’s commitment to tightening financial chokepoints used by the regime [4].

Source: [1] North Korea Designations; Issuance of Russia-related [2] Treasury Sanctions Crypto IT Scam Spanning North Korea [3] US sanctions fraud network used by North Korean 'remote [4] US Treasury Sanctions Russian National and Entities