Full Report
The U.S. Treasury Department imposed sanctions on two North Korean financial institutions and eight individuals involved in laundering cryptocurrency stolen in cybercrime and fraudulent IT worker schemes. [...]
Analysis Summary
# Threat Actor: North Korea State-Sponsored Actors (General Reference)
## Attribution & Identity
Attribution in this context is to North Korean state-sponsored entities, including financial facilitators and cyber units, working under the umbrella of the DPRK government structure. Key entities sanctioned include:
* **Financial Institutions:** Ryujong Credit Bank, Korea Mangyongdae Computer Technology Company (KMCTC).
* **Individuals Sanctioned (Facilitators/Bankers):** Jang Kuk Chol, Ho Chong Son, Ho Yong Chol, Han Hong Gil, Jong Sung Hyok, Choe Chun Pom, and Ri Jin Hyok.
* **Corporate Leadership:** U Yong Su (President of KMCTC).
* **Known Aliases/Groups:** The activities are linked to the North Korean cyber force, whose sophistication is compared to that of China and Russia.
## Activity Summary
The sanctioned entities and individuals are involved in two primary revenue-generating schemes supporting the DPRK:
1. **Cryptocurrency Theft and Laundering:** Laundering cryptocurrency stolen via cybercrime operations (including ransomware attacks targeting U.S. victims).
2. **Fraudulent IT Worker Schemes:** Utilizing DPRK IT workers globally who use false or stolen identities to secure employment contracts on freelance websites, earning hundreds of millions of dollars annually.
Overall, North Korean-affiliated cybercriminals have stolen over $3 billion, primarily in cryptocurrency, over the past three years. The illicit revenue funds the DPRK's WMD and ballistic missile programs.
## Tactics, Techniques & Procedures
- **Cybercrime Sophistication:** Use of advanced malware and social engineering techniques to steal cryptocurrency.
- **Financial Evasion:** Money laundering activities coordinated between North Korea and China.
- **Sanctions Evasion:** Utilizing financial channels in Russia and China to process tens of millions of U.S. dollars in transactions in violation of UN sanctions.
- **Identity Deception (IT Workers):** Obfuscating nationality and using false or stolen identities by IT workers seeking employment contracts globally.
## Targeting
- **Sectors:** The activities imply targeting of organizations vulnerable to sophisticated cyberattacks (leading to ransomware/crypto theft; implies Financial, Critical Infrastructure, or general business sectors). The IT worker scheme targets employment platforms and contract providers.
- **Geography:** Activities noted across North Korea, China (Money laundering linkages, IT worker deployment), and Russia (Financial representatives). Victims of ransomware attacks were located in the U.S.
- **Victims:** Victims of ransomware attacks targeting U.S. victims (specific entities not named in this summary), and employers/platforms contracting the fraudulently employed DPRK IT workers.
## Tools & Infrastructure
- **Malware Families Used:** Advanced malware utilized in cryptocurrency theft operations (specific names not detailed in the text).
- **Infrastructure:** Financial networks spanning North Korea, China, and Russia used to obfuscate transactions.
## Implications
The ongoing success of these cyber and financial operations ($3B stolen in three years) demonstrates the North Korean cyber force is a fully operational, high-sophistication threat comparable to major state actors. The revenue directly supports the DPRK's illicit weapons programs, posing a significant threat to international security and the global digital economy. The use of seemingly legitimate IT workers presents a unique insider threat vector that bypasses traditional perimeter defenses.
## Mitigations
- Increased scrutiny and vetting processes for IT workers and contractors, particularly those utilizing freelance platforms, to verify identity and nationality.
- Enhanced cryptocurrency tracing and forensic capabilities to disrupt asset laundering networks used by DPRK actors.
- Financial institutions must rigorously screen transactions to avoid secondary sanctions associated with the designated banks and facilitators operating in China and Russia.