The US government has imposed new sanctions on North Korea in relation to its army of illicit IT workers who fraudulently gain employment to finance the regime's weapons of mass destruction programs.

The Office of Foreign Assets Control (OFAC) has blacklisted several crypto wallets that have been linked to North Korea and were hosted on the Binance exchange. The wallets have been traced to a North Korean citizen named Sang Man Kim, who allegedly holds cryptocurrencies including Bitcoin and Ether, as well as stablecoins such as Tether's USDT and Circle's USDC. OFAC claims that at least $2 million worth of cryptocurrencies were moved through these wallets to North Korean entities and may have been used to fund weapon of mass destruction programs. Binance has since taken actions to remove such entities from its platform, after being accused of encouraging bad actors to bypass sanctions.

The BlueNoroff hacking group, which is linked to North Korea, has been targeting macOS users with a malware called RustBucket. The malware installs a backdoor PDF reader and is being used to steal cryptocurrency from users. Security researchers at Jamf and Sekoia.io have analyzed the malware and found that BlueNoroff has been conducting financially-driven campaigns targeting cryptocurrency exchanges and venture capital-related entities globally since 2017. In 2022, North Korea-linked hackers stole $1.7 billion in crypto from various entities, with the funds allegedly going towards funding its missile program.

Virgil Griffith, an Ethereum developer currently serving a five-year prison sentence, has been hit with a 10-year export privilege bar by the Department of Commerce. This means he will be unable to participate in international trade and business until April 12, 2032.

An undisclosed White House official has revealed that North Korea has funded around half of its missile tests through cyberattacks and crypto theft. The Lazarus Group, a notorious local hacking collective, was responsible for several exploits last year, including the $625 million breach on Ronin Network. Despite accusations and threats from the Western world, North Korea remains focused on its war-related efforts, with its government led by Kim Jong Un taking every opportunity to upgrade its weapons through missile programs and various tests. US intelligence agencies are working to identify the bad actors and trace the drained assets, while the United Nations has claimed that the totalitarian nation financed its missile programs and nuclear experiments with crypto theft.

Around 50% of North Korea's secretive missile program could be funded by cyberattacks and cryptocurrency theft, according to Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technology. American intelligence agencies are intensively tracking down North Korean operatives, and the U.S. Department of Treasury is working to locate stolen crypto.

A North Korean bank official, Sim Hyon Sop, has been charged with crypto laundering conspiracies and illegal wage laundering through a group of North Korean IT workers. The workers assumed fake identities and were paid in digital assets, which were then used to launder earnings and redirect them to North Korea. The sanctioned state used these funds to "generate revenue for North Korea's ballistic missile and WMD programs." The charges present a broader pattern of North Korean users leveraging VPNs and virtual digital assets to redirect revenues to North Korea. The FBI continues to investigate the case, and the money laundering charges are punishable by a maximum of 20 years in prison. However, the North Korean bank official and others are unlikely to face trial since they were largely based in China or Hong Kong when the crime occurred.

In this blog, we’ll examine the details of these charges and sanctions, and the new information they reveal about North Korea’s cryptocurrency money laundering processes.

Popular cybersecurity firm Kaspersky recently concluded an investigation into a supply chain attack on 3CX, a popular VoIP (Voice over Internet Protocol) software provider. The attack came to light on 29 March and reportedly affected cryptocurrency firms.

Russian cybersecurity firm Kaspersky has warned of a new form of attack on cryptocurrency firms, involving hackers using corrupted software with "surgical precision." Kaspersky's research identified several crypto-focused companies as victims of the 3CX software supply-chain attack, which is believed to have been carried out on behalf of the North Korean government. The attack involved corrupting the VoIP application, 3CX, to push the hackers' code onto victims' machines. The hackers sifted through the victims they infected to identify and deliberately target "fewer than 10 machines" connected to crypto firms. While it's yet unclear if the campaign was successful, Kaspersky advises cryptocurrency companies to scan their systems for further compromise.