OFAC sanctions DPRK IT worker network tied to fake remote jobs and WMD funding

The U.S. Treasury has sanctioned six individuals and two entities tied to North Korea’s fake remote IT worker scheme, saying the operation helped generate money for Pyongyang’s weapons programs. Treasury said the network used stolen identities, fake personas, and fraudulent documents to place workers inside legitimate companies, including U.S. businesses.

The action came from the Office of Foreign Assets Control on March 12, 2026. Treasury said the broader DPRK IT worker apparatus generated nearly $800 million in 2024, and warned that some of these workers did more than collect paychecks. In certain cases, Treasury said they also introduced malware into company networks and stole sensitive or proprietary data.

U.S. officials say this is not just sanctions evasion or payroll fraud. The government links the scheme directly to North Korea’s weapons of mass destruction and ballistic missile programs. Secretary of the Treasury Scott Bessent said the regime targets American companies through deceptive overseas IT operatives who can weaponize sensitive data and extort businesses for large payments.

Treasury’s latest designations show how broad the network has become. The sanctioned actors span North Korea, Vietnam, Laos, and Spain, and authorities say they helped manage workers, move money, convert proceeds into cryptocurrency, and develop freelance contracts that helped the workers appear legitimate.

The two sanctioned entities are Amnokgang Technology Development Company and Vietnam-based Quangvietdnbg International Services Company Limited. Treasury says Amnokgang managed overseas DPRK IT workers and also handled illicit procurement activity, while Quangvietdnbg’s CEO Nguyen Quang Viet helped convert funds for North Koreans. Treasury said Nguyen converted about $2.5 million into cryptocurrency between mid-2023 and mid-2025, including illicit earnings tied to Amnokgang-linked workers.

Treasury also named Do Phi Khanh, Hoang Van Nguyen, Yun Song Guk, Hoang Minh Quang, and York Louis Celestino Herrera. According to the department, some of them helped open bank accounts, launder proceeds, support cryptocurrency transactions, or arrange freelance IT contracts that fed the larger network. Treasury said Yun led a group of North Korean IT workers operating out of Boten, Laos, and coordinated transactions tied to the IT services they performed.

Why this matters for businesses

For employers, the case underlines a wider problem in remote hiring. The FBI has warned that North Korean IT workers use U.S.-based facilitators, fake job seeker profiles, financial accounts, remote access tools, and even front companies to get hired and gain access to employer systems. The bureau says some facilitators receive devices on behalf of the workers, help set up U.S.-based internet connections, and even attend interviews or meetings for them.

The risk does not stop with payroll fraud. In a January 2025 public service announcement, the FBI said some North Korean IT workers copied code repositories, stole proprietary data, harvested credentials, and later extorted victims after they were discovered on company networks. That makes this both a sanctions issue and an insider-risk problem.

AI is making the fraud harder to spot

Microsoft says North Korean remote IT workers have been using AI since 2024 to improve the scale and sophistication of their operations. In its March 2026 threat report, the company said these actors use AI across the attack lifecycle and rely on long-term trusted access, which means defenders should treat fraudulent employment and access misuse as an insider-risk scenario.

The FBI has also warned that North Korean IT workers have used artificial intelligence and face-swapping technology during video interviews to hide their real identities. The bureau advises employers to cross-check documents, compare images across meetings, and complete as much of hiring and onboarding in person as possible.

Private sector researchers continue to find signs that these operations rely on infrastructure designed to make overseas workers look local. LevelBlue said Astrill VPN has been used in North Korea-linked remote IT worker operations because it can bypass China’s Great Firewall and tunnel traffic through U.S. exit nodes, helping threat actors appear to be domestic employees.

Sanctioned network at a glance

Red flags companies should watch

• Resumes with reused contact details, typos, or inconsistent work histories.
• Candidates who avoid clear video checks or appear visually inconsistent on camera.
• Requests to ship company laptops to addresses that do not match the claimed employee location.
• Multiple logins from different countries or known VPN infrastructure.
• Contract workers hired through third parties with weak identity verification.

What happens next

The sanctions block property and interests in property of the designated parties that fall under U.S. jurisdiction, and they generally bar U.S. persons from dealing with them. Treasury framed the move as part of a broader government effort to disrupt DPRK revenue generation and said the United States will keep working with allies and partners to counter these IT worker schemes.

For companies, the message is direct. Remote hiring now sits at the intersection of HR, compliance, cybersecurity, and national security. Firms that still treat identity checks as a routine paperwork step could miss a threat that starts as a job application and ends with stolen data, extortion, or sanctions exposure. That last point is an inference from the government warnings and enforcement actions, but it fits the pattern described by Treasury, the FBI, and Microsoft.

FAQ