red 
For the second time in the past month, the US Treasury Department has taken aim at North Korea’s crypto-asset activities – bringing to light more information about how the heavily sanctioned country uses crypto to circumvent financial and economic restrictions and support its cyber malignancy. activities.
On May 23, the Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against four entities and one individual involved in North Korea’s efforts to deploy IT workers to technology companies — including cryptocurrency ones — around the world.
The US government has previously warned that North Korea is systematically deploying IT workers to get jobs on crypto exchanges. Once established on exchanges, those North Korean IT workers will seek to generate income in crypto-assets, including receiving wages paid in crypto, or by undertaking or facilitating cyber-theft of cryptocurrencies from those exchanges.
As part of its May 23 action, OFAC targeted Kim Sang Man, who is an employee of Jinyong IT Cooperation, a North Korean IT firm that OFAC also sanctioned as part of the action. According to OFAC, Kim is based out of Vladivostok, Russia and played an integral role in facilitating the cryptocurrency activities of North Korean IT workers.
According to OFAC: “Kim was involved in the sale and transfer of IT equipment to the DPRK and, as recently as 2021, received transfers of cryptocurrency funds from IT teams located in China and Russia worth more than $2 million.
As part of the crackdown, OFAC included five cryptoasset addresses controlled by Kim on the Specially Designated Nationals and Blocked Persons List (SDN List). Addresses placed on the SDN list by OFAC are in Bitcoin, Ether, Tether and USDC.
As a result, US persons – including crypto exchanges – are prohibited from transacting with this and any other crypto addresses associated with Kim. At Elliptic, we worked urgently to get these new addresses flagged in our solutions immediately after OFAC announced the action, to enable our clients to ensure comprehensive compliance with the new sanctions.
The above image from Elliptic Investigator shows the flow of funds into an Ethereum wallet controlled by North Korean individual Sang Man Kim, who was sanctioned by OFAC on May 23. Kim’s wallet received funds from a number of entities, including Axie Infinity Ronin Bridge, the DeFi protocol hacked by North Korea in March 2022, as well as the OFAC-sanctioned mixing service Tornado Cash.
This is not the first time that OFAC has targeted a network of North Korean IT workers involved in crypto activities; in fact, it is the second such action in less than a month. On April 24, OFAC sanctioned three individuals involved in converting crypto-assets into fiat currencies on behalf of the North Korean regime. One of those individuals was Sim Hyon Sop, a representative of the China-based Korea Kwangson Banking Corp (KKBC) – a North Korean bank under sanctions.
According to OFAC—which included Sim’s crypto addresses on the SDN list at the time of the sanctions—Sim received cryptoassets from North Korean IT operatives secretly operating cryptoasset exchanges in the US. He then took steps to launder those funds – an activity detailed in a supplemental indictment released by the US Department of Justice (DoJ).
US authorities also allege that Sim worked with two crypto brokers based in Hong Kong and mainland China to convert those crypto assets into US dollars, which were then used to buy luxury items such as tobacco products and electronics that the North Korean regime cannot import due to international sanctions. The case provided some of the clearest details yet about North Korea’s use of ill-gotten cryptocurrencies.
OFAC’s focus on exposing North Korea’s illegal crypto activity will undoubtedly continue. North Korea’s cybercriminal networks – including the notorious Lazarus Group – are increasingly relying on cryptocurrencies to raise funds in the face of sweeping international sanctions targeting the country.
Elliptic’s research found that the country has raised more than $2.3 billion from hacking crypto exchanges, and international financial watchdogs are particularly concerned about North Korea’s activities in the decentralized finance (DeFi) space as well. These concerns led OFAC to sanction Tornado Cash, a commingling service running on Ethereum and other blockchains, that North Korea used to launder more than $455 million in cybercrime cryptoassets.
In light of the increasing focus on the use of sanctions to target North Korea’s crypto activities, compliance teams at crypto exchanges and financial institutions should ensure that they use robust screening solutions to identify crypto addresses associated with these and other OFAC-sanctioned actors. This includes access to next-generation analytics, such as Elliptic’s unique Holistic Screening capabilities that can ensure sanctions risk is detected, even as North Korea attempts to launder funds through the DeFi ecosystem.
To learn more about how Elliptic’s blockchain analytics solutions enable detection of North Korea-related activity, contact us today to schedule a demo. In the meantime, you can also download our recent report on Cryptocurrency Sanctions Compliance: Using Blockchain Analytics to Mitigate Risk.
