OFAC sanctioned six individuals and two entities for involvement in the DPRK IT worker scheme, which aims to defraud US businesses and fund its weapons programmes. The operation, also known as Coral Sleet/Jasper Sleet, PurpleDelta and Wagemole, uses bogus documents, stolen identities and fabricated personas to place North Korean IT personnel in legitimate companies, with salaries partly funnelled back to the regime.
The Treasury notes that some of these operatives deployed malware to steal data and sometimes extorted payments. Among those named are Amnokgang Technology Development Company, Nguyen Quang Viet of Quangvietdnbg International Services Company Limited, who allegedly converted about $2.5 million into cryptocurrency between mid-2023 and mid-2025, and Do Phi Khanh, Hoang Van Nguyen, Yun Song Guk and others connected to the network, with Yun coordinating several dozen transactions totaling more than $70,000.
The development highlights the use of Astrill VPN to conceal operations from locations such as China, and the broader recognition that such IT workers enable DPRK revenue generation and sanctions evasion.