U.S. Treasury Sanctions North Korean Firms for Cryptocurrency Crime and IT Fraud (2024)
Executive Summary
In June 2024, the U.S. Treasury Department sanctioned eight individuals and two companies linked to North Korea for laundering proceeds from cybercrime and IT worker schemes. These sanctioned parties allegedly funneled over $3 billion in stolen cryptocurrency and hundreds of millions in illicitly earned IT wages to the North Korean regime, supporting its weapons programs. Entities sanctioned include North Korean banking officials, an IT company operating in China, and financial institution representatives in both China and Russia, all accused of violating international sanctions, managing illicit funds, and enabling large-scale money laundering through sophisticated cyber and identity subterfuge.
This incident underscores the advanced capabilities of North Korea’s cyber operations and their direct link to geopolitical threats, as well as the ongoing shift towards state-sponsored cryptocurrency theft and IT fraud as major funding sources for sanctioned regimes.
Why This Matters Now
North Korean cybercriminal tactics are rapidly evolving and increasingly fund destabilizing activities, prompting urgent regulatory and security responses. This incident highlights the rising convergence of financial crime, cyber-enabled money laundering, and state-sponsored threat actors, increasing urgency for firms to improve controls, monitoring, and international compliance.
Attack Path Analysis
The North Korean threat actors gained initial cloud access via compromised credentials or fraudulent identities, embedding IT workers within target networks or cloud environments. Once established, they escalated privileges to access sensitive services, enabling them to traverse laterally to financial and cryptocurrency systems across multi-cloud or hybrid platforms. With extended access, they established covert command and control channels to orchestrate money-laundering schemes and bypass detection. Leveraging their foothold, they exfiltrated large sums of cryptocurrency and data through obfuscated outbound flows. Ultimately, their impact involved laundering stolen assets and supporting national objectives, disrupting legitimate financial operations globally.
Kill Chain Progression
Initial Compromise
Description
Threat actors used fraudulent identities, compromised credentials, or manipulated recruitment to insert IT workers into cloud environments or obtain direct cloud/service account access.
Related CVEs
CVE-2022-41328
CVSS 9.3A path traversal vulnerability in FortiOS allows a remote attacker to execute arbitrary code via crafted HTTP requests.
Affected Products:
Fortinet FortiOS – 7.0.0 to 7.0.6, 7.2.0 to 7.2.1
Exploit Status:
exploited in the wildCVE-2023-23397
CVSS 9.8A privilege escalation vulnerability in Microsoft Outlook allows an attacker to execute arbitrary code by sending a specially crafted email.
Affected Products:
Microsoft Outlook – 2013 SP1, 2016, 2019, Office 365
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing
Valid Accounts
Gather Victim Identity Information
Proxy
Deliver Command and Control Infrastructure
Remote Access Software
Credential Manipulation
Masquerading
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Responding to Alerts and Incidents
Control ID: 12.10.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Requirements
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Identity Verification and Continuous Authentication
Control ID: Identity Pillar - Policy Enforcement
NIS2 Directive – Risk Management Measures
Control ID: Article 21
ISO/IEC 27001:2022 – User Registration and De-registration
Control ID: A.9.2.1
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Primary target for North Korean cryptocurrency theft schemes totaling $3 billion, requiring enhanced egress security and encrypted traffic monitoring capabilities.
Financial Services
Critical vulnerability to money laundering operations and sanctions evasion, necessitating zero trust segmentation and anomaly detection for compliance frameworks.
Information Technology/IT
Exploited through fake identity schemes generating hundreds of millions, demanding multicloud visibility and threat detection across hybrid connectivity infrastructures.
Computer Software/Engineering
Infiltrated by North Korean IT workers using sophisticated evasion techniques, requiring Kubernetes security and inline IPS protection mechanisms.
Sources
- North Korean companies, people sanctioned for money laundering from cybercrime, IT worker schemeshttps://cyberscoop.com/north-korean-companies-people-sanctioned-for-money-laundering-from-cybercrime-it-worker-schemes/Verified
- Treasury Sanctions DPRK Bankers and Institutions Involved in Laundering Cybercrime Proceeds and IT Worker Fundshttps://home.treasury.gov/news/press-releases/sb0302Verified
- Justice Department Announces Nationwide Actions to Combat Illicit North Korean Government Revenue Generationhttps://www.justice.gov/opa/pr/justice-department-announces-nationwide-actions-combat-illicit-north-korean-governmentVerified
- North Korean hackers stole record $2 billion in crypto in 2025, including single heist worth $1.5 billion, report claimshttps://www.tomshardware.com/tech-industry/cryptocurrency/north-korean-hackers-steal-a-record-usd2-billion-in-crypto-in-2025-including-single-heist-worth-usd1-5-billion-report-claims-rogue-state-accounts-for-60-percent-of-all-reported-crypto-thefts-this-year-usd6-75-billion-total-since-records-beganVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust Segmentation, egress controls, lateral east-west traffic restrictions, and real-time threat detection would have constrained lateral movement, denied covert command and control, and prevented unauthorized data exfiltration. CNSF enforcement of granular policies and observability weakens attacker ability to exploit, pivot, and monetize cloud resources.
Control: Zero Trust Segmentation
Mitigation: Unauthorized access attempts isolated to tightly scoped segments for rapid detection.
Control: Multicloud Visibility & Control
Mitigation: Unusual privilege assignments or policy changes alert security teams for response.
Control: East-West Traffic Security
Mitigation: Movement between workloads, regions, or clusters is detected and blocked if not policy-aligned.
Control: Threat Detection & Anomaly Response
Mitigation: Covert and anomalous C2 traffic is detected in real-time with actionable alerts.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound flows to unapproved destinations are blocked or logged for response.
End-to-end enforcement and audit trails enable rapid investigation, recovery, and restitution.
Impact at a Glance
Affected Business Functions
- Financial Transactions
- Customer Data Management
- IT Operations
Estimated downtime: 7 days
Estimated loss: $1,500,000
Potential exposure of sensitive customer financial data, including account details and transaction histories, due to unauthorized access facilitated by exploited vulnerabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Zero Trust Segmentation to enforce least-privilege access between users, workloads, and cloud assets.
- • Implement east-west traffic security controls to detect and restrict lateral movement within and across cloud environments.
- • Enforce strict egress filtering and outbound policy enforcement to prevent unauthorized data exfiltration and shadow communications.
- • Leverage centralized multi-cloud visibility and anomaly detection for rapid identification of privilege misuse or covert operations.
- • Regularly audit privilege assignments and automation policies to ensure compliance and minimize insider or credential-based threats.
