This article is reprinted with permission from SlowMist Technology, author: SlowMist AML Team, copyright belongs to the original author.
On November 4, 2025, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced a new round of sanctions against several North Korean bank employees and financial institutions, freezing all assets of 8 individuals and 2 entities within the United States or controlled by U.S. persons. These individuals and entities are accused of raising funds for the North Korean regime through cybercrime, information technology (IT) labor fraud, and other means to support its nuclear and missile programs.
According to the U.S. Treasury's announcement, the North Korean government has long relied on various illegal activities, including cybercrime, to fund its weapons of mass destruction and ballistic missile programs, instructing its hackers to profit through cyber espionage, destructive attacks, and financial theft. Statistics show that in the past three years, North Korean cybercriminals have stolen over $3 billion in assets, primarily transferred in the form of cryptocurrency. At the same time, a large number of North Korean IT professionals have concealed their nationality and identity by registering accounts on freelance websites and using false or stolen identity information to apply for jobs, earning hundreds of millions of dollars annually through various IT development work. In some cases, they also collaborate with other foreign programmers to complete projects and share profits.
The U.S. Treasury emphasized that North Korea is able to transfer and launder these illegal proceeds through the international financial system, relying on a network of international financial institution representatives composed of domestic and foreign bank representatives, financial institutions, and shell companies. These agents are distributed across multiple countries, including China and Russia, providing North Korea with channels to access international markets and financial systems, enabling it to obtain funds through fraudulent IT work, digital asset theft, and evasion of sanctions.
The sanctioned targets include:
- Entities (2):
Ryujong Credit Bank — A financial institution headquartered in Pyongyang, North Korea, which has provided financial services to assist in evading sanctions between China and North Korea, including remitting foreign exchange income back to North Korea, money laundering, and processing financial transactions for overseas North Korean workers.
Korea Mangyongdae Computer Technology Corporation (KMCTC) — An IT company headquartered in Pyongyang, North Korea, reportedly operating IT labor dispatch services in at least two cities in China, Shenyang and Dandong. KMCTC's IT workers have used Chinese citizens as bank agents to conceal the true source of funds from their illegal revenue-generating activities.
- Individuals (8):
Choe Chun Pom: As a representative of the Central Bank of the DPRK in Russia, he handled over $200,000 in U.S. dollar and renminbi transactions and was responsible for coordinating the itinerary of Russian officials visiting Pyongyang.
Han Hong Gil: An employee of Koryo Commercial Bank Ltd, he coordinated over $630,000 in U.S. dollar and renminbi transactions for the sanctioned Ryujong Credit Bank.
Jang Kuk Chol and Ho Jong Son: Both are fund managers for Cheil Credit Bank (also known as First Credit Bank, formerly Kyongyong Credit Bank), directly responsible for managing an overseas fund pool that includes $5.3 million in cryptocurrency. Some of these funds can be traced back to North Korean state-level ransomware groups and IT labor networks. They were sanctioned for "providing financial support and technical assistance for cybercrime activities."
Ho Yong Chol: North Korean financial representative stationed in China, he transferred over $2.5 million in U.S. dollars and renminbi for Korea Daesong Bank and assisted another North Korean government-affiliated entity in operating a fund flow of $85 million. He is identified as "acting on behalf of the sanctioned bank" and providing channels for the North Korean financial system to evade sanctions.
Jong Sung Hyok: Head of the Foreign Trade Bank (FTB) representative office in Vladivostok, Russia, primarily responsible for assisting the bank in cross-border settlement and money laundering activities.
Ri Jin Hyok: FTB representative, assisted the bank's shell companies in transferring over $350,000 in U.S. dollars, renminbi, and euros.
U, Yong Su: Current head of KMCTC, listed on the sanctions list for managing KMCTC and participating in overseas IT labor and money laundering activities.
These 8 individuals form the core of North Korea's financial agent network in China and Russia, responsible for providing fund transfer, account opening, and money laundering services for North Korea's illegal activities.
Additionally, when updating the SDN List, OFAC listed 53 cryptocurrency addresses associated with Cheil Credit Bank.
We analyzed the 53 USDT-TRC20 addresses on the sanctions list using SlowMist's on-chain tracking and anti-money laundering tool, MistTrack. The analysis results are as follows:
These 53 addresses have collectively received approximately 16 million USDT-TRC20. The sources of funds are primarily concentrated in the hot wallets of several mainstream exchanges, with some coming from previously sanctioned addresses in other incidents.
As of now, about 60% of the address balances are 0, with funds having been transferred or laundered; the remaining approximately 40% of addresses still hold funds, with individual address balances ranging from 270,000 to 380,000 USDT, currently totaling about 6.5 million USDT, all of which have been frozen by Tether.
In terms of active time, the trading activities of these 53 sanctioned addresses spanned from August 2023 to July 2025, with a peak period from mid-2024 to the first half of 2025. There were still a large number of transactions from January to May 2025, especially in May, with multiple transactions almost every day; a few addresses were active for a shorter time, only a few days to a week (e.g., May 6 to May 7); after early August, activity significantly decreased, with most addresses stopping new transactions a week before the sanctions announcement.
In terms of transaction paths and frequency, we observed significant multi-level transfers and cross-convergence characteristics between addresses, for example, repeated transfers among addresses such as TGKgL, TGpNz, TQKQ4, TXFUY, suggesting an effort to conceal the source of funds and obscure transfer trajectories.
Additionally, multiple addresses (such as TGKgL, TBwghb, TMECK) have previously deposited or transferred funds to platforms like Binance and MEXC.
This round of sanctions highlights the risks of North Korea raising funds and evading sanctions through cybercrime, IT labor fraud, and international financial agent networks. To mitigate related risks, it is recommended that practitioners use on-chain tracking tools (such as MistTrack) to conduct real-time screening of counterparty addresses before receiving or transferring digital assets, understand their historical trading behavior and potential risks, and confirm whether the source of funds is transparent and compliant, avoiding the receipt of assets from sanctioned wallets, known high-risk addresses, or suspicious transaction paths; while enterprises, exchanges, service providers, and other project parties should implement customer identity verification (KYC) and on-chain transaction monitoring (KYT) mechanisms, continuously track the flow of funds, identify potential high-risk addresses, sanctioned entities, and suspicious funds, and avoid business associations with high-risk entities, thereby reducing the risk of being passively involved in sanction networks or illegal fund circulation.
Based on years of blockchain security research and risk control practices, SlowMist's anti-money laundering tracking and analysis system, MistTrack, has provided stable and reliable on-chain risk control support and strong AML compliance solutions for multiple exchanges and enterprises, as well as accurate data analysis, real-time risk monitoring, and comprehensive compliance support for individual users, corporate teams, and developers. MistTrack can detect the source of funds, screen whether funds come from sanctioned wallets or high-risk addresses, and avoid receiving contaminated funds; it can also conduct real-time risk control, performing address reviews before transactions to avoid dealings with sanctioned addresses or suspicious funds, reducing the likelihood of freezing. Currently, MistTrack has accumulated over 400 million address labels, more than a thousand entities, over 500,000 threat intelligence data points, and over 90 million risk addresses, providing solid support for digital asset security and combating money laundering crimes.
Related: The IRS updates cryptocurrency ETP guidelines, providing safe harbor provisions for staking.
Original article: “The U.S. Cracks Down on North Korean Crypto Laundering Network: Multiple Bank Employees and Financial Institutions Implicated”
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
