The US Department of the Treasury has sanctioned six individuals and two entities accused of enabling a North Korean scheme that infiltrates foreign companies through fake IT workers and channels earnings to fund the country's weapons programs.
The $800m Ghost Workforce: US Treasury Sanctions North Korean IT Fraud Network
13 March 2026 - 18:00 CET
By Sandmark staff
Treasury said operatives linked to North Korea use stolen identities, fabricated personas and fraudulent documents to obtain remote work with legitimate firms, including in the United States and allied countries. The workers generate revenue for the regime, which reportedly appropriates most of their wages.
Global networks enabling IT worker schemes
The sanctions target facilitators in North Korea, Vietnam, Laos and Spain accused of helping manage overseas IT teams, open bank accounts and convert illicit earnings into cryptocurrency. According to the Treasury, North Korean IT teams frequently operate through intermediaries abroad who arrange freelance contracts and provide financial services to obscure the origin of funds.
One sanctioned facilitator allegedly converted around $2.5m into cryptocurrency for North Korean actors between 2023 and 2025. These schemes also present severe cybersecurity risks. Treasury noted that some workers have covertly introduced malware into company systems or extracted sensitive data from corporate networks.
Industry observers have previously warned that these operatives are often viewed as "model employees" before their true identities are discovered, using stolen credentials to evade even sophisticated background checks at major technology and crypto firms.
Crypto-linked illicit finance under scrutiny
The sanctions come amid growing concern among policymakers that digital assets are being used by hostile states to bypass financial restrictions. A recent study presented to the UK Parliament warned that governments are struggling to keep pace with sanctions evasion via a $350bn crypto loophole, as hostile states exploit the borderless nature of blockchain systems.
North Korea has long relied on cyber operations and cryptocurrency theft to generate revenue outside the formal financial system. Under the new measures, all property belonging to the designated individuals and entities under US jurisdiction is blocked, and US citizens are generally prohibited from engaging in transactions with them. The Treasury stated it will continue working with international partners to disrupt the networks supporting these activities.
