The U.S. Treasury’s OFAC designated a Russia–DPRK–China conduit that laundered revenue from North Korea’s covert IT-worker schemes into the regime’s weapons programs. Targets include Russian national Vitaliy Sergeyevich Andreyev, DPRK official Kim Ung Sun, and two fronts—Shenyang Geumpungri Network Technology Co., Ltd. (China) and Korea Sinjin Trading Corporation (DPRK). The action highlights crypto-to-cash conversion, front-company staffing, and secondary-sanctions exposure for non-U.S. firms.
Key points
- Who’s designated: Andreyev (RU), Kim Ung Sun (DPRK), Shenyang Geumpungri (CN), and Korea Sinjin Trading Corp (DPRK). OFAC links Andreyev to crypto conversions supporting the already-sanctioned Chinyong Information Technology Cooperation Company; SDN entry includes a listed BTC address (Source: U.S. Department of the Treasuryofac.treasury.gov).
- Modus operandi: DPRK IT workers use stolen/forged identities, third-country IP, and intermediaries to infiltrate companies; wages and contract income are diverted—often via virtual assets—back to Pyongyang (Source: ofac.treasury.gov+1).
- Escalating campaign: Today’s move builds on OFAC designations on July 8 and July 24 that hit related DPRK IT-worker and procurement nodes; State/ROK/Japan issued coordinated warnings (Source: U.S. Department of the Treasury+1,state.gov).
- Real-world damage: DOJ recently secured an 8½-year sentence against the U.S. “laptop-farm” operator who helped place DPRK workers at 300+ firms, generating $17M—illustrating the corporate-risk side of this threat (Source: justice.gov).
- Compliance bite: Designations carry secondary-sanctions risk (NKSR §§510.201, 510.210) and restrictions for foreign subs of U.S. FIs (NKSR §510.214) (Source: ofac.treasury.gov).
Short narrative
Washington’s latest OFAC action spotlights the industrialization of North Korea’s “remote-work” playbook: teams of IT specialists abroad, masked behind Western identities and third-country entities, quietly embed inside legitimate companies. Once paid, earnings are routed—often via crypto—into conversion pipelines and front firms that bankroll missiles. OFAC names the Russian converter (Andreyev), the DPRK handler (Kim), and the cover entities in China and Pyongyang, tightening the net around Chinyong and its ecosystem. The message to markets: if you’re touching payrolls, platforms, or payouts related to these nodes, you’re in the blast radius (Source: U.S. Department of the Treasury,ofac.treasury.gov).
Extended analysis
How the money moves. Treasury says Andreyev worked with Kim to convert nearly $600k in cryptocurrency to U.S. dollars, moving IT-worker revenue for Chinyong. Shenyang Geumpungri is described as a Chinese front facilitating DPRK IT delegations; Korea Sinjin acts as a DPRK trading arm. OFAC’s SDN update memorializes identifiers (incl. a BTC address) and flags secondary-sanctions exposure—a red-line for non-U.S. institutions that might otherwise dismiss DPRK risk as a “U.S.-only” regime (Source: ofac.treasury.gov).
The bigger campaign. The designations extend a summer string of actions targeting DPRK’s IT-worker revenue engine and procurement fronts (Sobaeksu network, Andariel-linked facilitator). In parallel, Washington, Seoul, and Tokyo issued joint statements and reward offers, signaling trilateral alignment and public-private coordination (security vendors, hiring platforms, VASPs). Expect more synchronized pressure on recruiters, freelance marketplaces, and payment rails (Source: U.S. Department of the Treasury+1,state.gov).
Why companies keep getting burned. U.S. guidance (2022 advisory) has long described the playbook: false personas, VPNs/VPSs, third-party account “renting,” proxy logins, and virtual-currency payouts. Firms hire remote coders under time pressure, skip deep identity verification, and later discover malware or IP exfiltration. Treasury and FBI note DPRK often withholds up to 90% of workers’ wages, converting that income to support WMD and missile programs. ofac.treasury.gov+1
Enforcement is crossing into HR and IT ops. The Chapman sentence shows U.S. prosecutors will treat “laptop farms,” identity brokering, and I-9 fraud as national-security-relevant conduct, not just HR sloppiness. That judicial drumbeat will raise expectations on employers, staffing platforms, and managed-services firms to implement robust worker-identity controls and device-management attestation (Source: justice.go).
Crypto’s role—and limits. Virtual assets remain a favored conduit for DPRK, but each listed address and enabler increases traceability and industry-wide blocking. Analytics firms already flagged today’s nodes and reiterated that conversion chokepoints (P2P brokers, OTCs, money mules) are the vulnerability OFAC is trying to squeeze (Source: Chainalysiselliptic.co).
Actionable insight (for compliance, HR, VASPs)
- Screening & watchlists: Immediately load today’s SDN additions (names incl. Cyrillic/alternate script, addresses, BTC 1Hmqvg…). Configure ownership logic (≥50%) and NKSR secondary-sanctions rules (Source: ofac.treasury.gov).
- Remote-hire controls: Enforce in-person or notarized KYC for high-risk roles; require device attestation and geolocation checks; block VPN/VPS-only onboarding. Map practices against the 2022 tri-agency DPRK IT worker advisory red flags (Source: ofac.treasury.gov).
- Crypto exposure: For VASPs/fintechs, flag and monitor inbound/outbound flows linked to today’s identifiers; enhance typologies for crypto-to-cash off-ramps associated with Russia/China intermediaries (Source: ofac.treasury.gov).
- Incident playbook: If you discover a suspected DPRK worker or payment trail, use the FBI IC3 PSA guidance (data-extortion and insider access patterns) and coordinate with counsel before filing SARs and making notifications (Source: Internet Crime Complaint Center).
Call for information
FinTelegram invites insiders, recruiters, platform operators, and payment professionals with knowledge of Chinyong, Shenyang Geumpungri, Korea Sinjin, Andreyev, or Kim Ung Sun to contact us via Whistle42. Secure documentation (invoices, code-repo logs, payroll/crypto transfer proofs) is especially valuable to map this network.
