The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has recently imposed sanctions on two individuals and two entities involved in a North Korean remote information technology (IT) worker scheme. This operation is designed to illicitly generate revenue for the regime’s weapons of mass destruction and ballistic missile programs.
Under Secretary of the Treasury for Terrorism and Financial Intelligence, John K. Hurley, emphasized the ongoing threat posed by these schemes:
The North Korean regime continues to target American businesses through fraud schemes involving its overseas IT workers, who steal data and demand ransom. Under President Trump, Treasury is committed to protecting Americans from these schemes and holding the guilty accountable.
The sanctions specifically target:
– Vitaliy Sergeyevich Andreyev: A 44-year-old Russian national who has facilitated payments to Chinyong Information Technology Cooperation Company.
– Kim Ung Sun: A North Korean economic and trade consular official based in Russia.
– Shenyang Geumpungri Network Technology Co., Ltd: A Chinese front company for Chinyong.
– Korea Sinjin Trading Corporation: A North Korean company subordinate to the DPRK Ministry of People’s Armed Forces General Political Bureau.
This action builds upon previous sanctions imposed against Chinyong Information Technology Cooperation Company in May 2023.
Background on Chinyong and the IT Worker Scheme
Chinyong is one of several IT companies that deploy North Korean IT workers to engage in freelance IT work and cryptocurrency theft. The company maintains offices in China, Laos, and Russia. This long-standing IT worker threat, also known by aliases such as Famous Chollima, Jasper Sleet, UNC5267, and Wagemole, is believed to be affiliated with the Workers’ Party of Korea.
The scheme involves embedding North Korean IT workers into legitimate companies in the U.S. and other countries. These workers secure employment using fraudulent documents, stolen identities, and false personas. In some instances, these actors have introduced malware into company networks to exfiltrate sensitive data and extort companies by threatening to leak the information.
Utilization of Artificial Intelligence in Employment Fraud
A recent report by Anthropic highlights the reliance of these fraudulent operations on artificial intelligence (AI) tools like Claude. These tools are used to create convincing professional backgrounds, tailor resumes to specific job descriptions, and even perform technical tasks. Anthropic noted:
The most striking finding is the actors’ complete dependency on AI to function in technical roles. These operators do not appear to be able to write code, debug problems, or even communicate professionally without Claude’s assistance. Yet they’re successfully maintaining employment at Fortune 500 companies, passing technical interviews, and delivering work that satisfies their employers.
Financial Transactions and Front Companies
The Treasury Department revealed that Andreyev has collaborated with Kim Ung Sun to conduct multiple financial transfers totaling nearly $600,000 by converting cryptocurrency to U.S. dollars since December 2024.
Shenyang Geumpungri, identified as a Chinese front company for Chinyong, has generated over $1 million in profits for Chinyong and Sinjin since 2021. Sinjin is a DPRK company subordinate to the U.S.-sanctioned DPRK Ministry of People’s Armed Forces General Political Bureau. The company has received directives from DPRK government officials regarding the deployment of IT workers internationally.
Broader Context and Previous Actions
This announcement follows a series of actions by the U.S. government to disrupt North Korea’s illicit revenue generation schemes. In July 2025, the Treasury Department sanctioned Korea Sobaeksu Trading Company and three individuals for their involvement in similar IT worker schemes. Additionally, an Arizona woman was sentenced to 8.5 years in prison for operating a laptop farm that enabled North Korean IT workers to remotely access U.S. company networks.
In January 2025, the Treasury Department sanctioned two individuals and four entities for dispatching IT workers worldwide to obtain employment and generate income for the DPRK regime, violating international sanctions. These IT workers obfuscate their identities and locations to fraudulently obtain freelance employment contracts for IT projects, such as software and mobile application development. The DPRK government withholds up to 90% of the wages earned by these overseas workers, generating annual revenues of hundreds of millions of dollars for the regime’s weapons programs, including weapons of mass destruction and ballistic missile programs.
Implications and Ongoing Efforts
The U.S. government’s actions underscore the persistent threat posed by North Korean IT worker schemes. These operations not only generate significant revenue for the DPRK’s illicit programs but also pose risks to the security and integrity of the companies they infiltrate. The use of AI tools to enhance the effectiveness of these schemes highlights the evolving nature of cyber threats and the need for robust measures to detect and prevent such fraudulent activities.
The Treasury Department’s continued efforts to identify and sanction individuals and entities involved in these schemes reflect a commitment to protecting American businesses and holding accountable those who facilitate the DPRK’s destabilizing activities.
