US Sanctions North Korean Banks for Cryptocurrency Cybercrime in 2024
Executive Summary
In May 2024, the U.S. Treasury sanctioned two North Korean banks and eight individuals believed to be heavily involved in high-profile cryptocurrency laundering operations linked to state-sponsored cybercrime. The sanctioned parties allegedly laundered millions of dollars in digital assets stolen through cyberattacks and IT worker fraud, often hiding illicit proceeds to evade international detection. North Korean operatives reportedly posed as legitimate IT contractors for Western firms to gain unauthorized access to sensitive systems and divert funds, fueling further malicious operations and funding government programs in Pyongyang.
This incident exemplifies shifting tactics in cyber-enabled financial crime, where attackers exploit advanced laundering techniques and foggy compliance areas around cryptocurrency. The urgency of improved detection and policy enforcement is fueled by growing international regulatory pressure and the adaptation of state-sponsored groups to exploit digital infrastructure.
Why This Matters Now
The targeting of global financial systems by North Korean cyber actors underscores mounting risks for organizations using cryptocurrencies and remote IT talent. As regulatory scrutiny intensifies, businesses must implement modern controls to detect anomalous payments, strengthen east-west security flows, and secure hybrid work environments against identity-driven threats.
Attack Path Analysis
North Korean actors initiated access into target environments using compromised credentials or fraudulent IT worker roles. They increased privileges via abuse of permissions or escalation flaws to gain the necessary control for financial operations. Once inside, the attackers moved laterally across cloud and on-prem resources to expand their presence and access sensitive assets. Establishing covert command and control, they maintained persistence and coordinated their operations using encrypted or evasive channels. The malicious actors exfiltrated cryptocurrency assets and financial data through disguised, policy-bypassing outbound connections. Finally, they laundered the stolen funds via complex crypto operations, causing significant financial loss and reputational impact for victim organizations.
Kill Chain Progression
Initial Compromise
Description
Attackers gained initial access to finance, IT, or crypto environments through fraudulent IT worker accounts, credential harvesting, or supply chain compromise.
Related CVEs
CVE-2023-34362
CVSS 9.8A SQL injection vulnerability in MOVEit Transfer allows an unauthenticated attacker to gain unauthorized access to the database.
Affected Products:
Progress Software MOVEit Transfer – < 2023.0.1
Exploit Status:
exploited in the wildCVE-2022-30190
CVSS 7.8A remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) allows an attacker to execute arbitrary code via maliciously crafted documents.
Affected Products:
Microsoft Windows – 7 SP1, 8.1, 10, 11, Server 2008 SP2, Server 2012, Server 2016, Server 2019, Server 2022
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Phishing
Command and Scripting Interpreter
Proxy
Masquerading
Exfiltration Over C2 Channel
Input Capture
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Use of Unique Authentication Credentials
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA – ICT Risk Management Framework
Control ID: Article 9
CISA ZTMM 2.0 – User Identity Verification
Control ID: Identity - 2.2.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
North Korean cybercrime sanctions highlight cryptocurrency laundering risks requiring enhanced encrypted traffic monitoring, egress security, and threat detection capabilities for financial institutions.
Financial Services
Fraudulent IT worker schemes and crypto laundering operations necessitate strengthened zero trust segmentation, anomaly detection, and multicloud visibility to prevent infiltration.
Information Technology/IT
IT sector faces direct infiltration risk from North Korean fraudulent workers requiring enhanced identity verification, east-west traffic security, and comprehensive compliance monitoring.
Computer/Network Security
Security firms must implement advanced threat detection, inline IPS capabilities, and cloud native security fabrics to combat state-sponsored cryptocurrency laundering operations.
Sources
- US sanctions North Korean bankers linked to cybercrime, IT worker fraudhttps://www.bleepingcomputer.com/news/security/us-treasury-sanctions-north-korean-bankers-linked-to-cybercrime-it-worker-fraud/Verified
- Treasury Sanctions DPRK Bankers and Institutions Involved in Laundering Cybercrime Proceeds and IT Worker Fundshttps://home.treasury.gov/news/press-releases/sb0302Verified
- US sanctions North Korean bankers accused of laundering stolen cryptocurrencyhttps://apnews.com/article/41f2f4e1c14ed0c81a41494c6c3afb73Verified
- North Korean hackers stole record $2 billion in crypto in 2025, including single heist worth $1.5 billion, report claimshttps://www.tomshardware.com/tech-industry/cryptocurrency/north-korean-hackers-steal-a-record-usd2-billion-in-crypto-in-2025-including-single-heist-worth-usd1-5-billion-report-claims-rogue-state-accounts-for-60-percent-of-all-reported-crypto-thefts-this-year-usd6-75-billion-total-since-records-beganVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Zero Trust segmentation, workload isolation, strong egress controls, and continuous threat detection would have constrained the adversaries by restricting movement, exposing abnormal flows, and preventing unauthorized exfiltration of funds across cloud and hybrid networks.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized access to sensitive workloads and services by enforcing strict identity-based policies.
Control: Multicloud Visibility & Control
Mitigation: Enables real-time detection of privilege escalations through centralized policy and activity monitoring.
Control: East-West Traffic Security
Mitigation: Limits or detects lateral movement using workload-to-workload microsegmentation and traffic inspection.
Control: Threat Detection & Anomaly Response
Mitigation: Detects and alerts on anomalous remote access and beaconing behaviors.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents data exfiltration and unauthorized outbound flows via robust egress filtering and application-to-internet controls.
Limits business impact by providing distributed, real-time enforcement and insight across the attack lifecycle.
Impact at a Glance
Affected Business Functions
- Financial Transactions
- Cryptocurrency Exchanges
- IT Services
Estimated downtime: 7 days
Estimated loss: $1,500,000,000
Unauthorized access to sensitive financial data and personal information of clients.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation to isolate users, IT contractors, and financial workloads at the network and application level.
- • Deploy robust egress filtering and continuous monitoring to block unauthorized data transfers and exfiltration to cryptocurrency endpoints.
- • Implement East-West workload traffic inspection and microsegmentation in cloud and hybrid environments to detect and prevent lateral movement.
- • Centralize cloud policy, privilege escalation monitoring, and multicloud visibility to rapidly detect and remediate abnormal admin activity.
- • Integrate distributed, automated threat detection and incident response workflows leveraging Cloud Native Security Fabric controls for real-time containment.
