US Treasury sanctions North Korea Ethereum addresses

As part of its efforts to counter North Korea’s weapons of mass destruction proliferation and development, The US Treasury Department has announced sanctions against three Ethereum addresses allegedly linked to North Korea hacking activities.

According to a department press release published recently, the department has designated the addresses for supporting “North Korean cyber-hacking operations.” The department said that all three addresses were associated with Lazarus Group, a hacker group suspected of having ties to North Korea.

The addresses were associated with two China-based companies and one Russia-based individual.

All three were alleged to have laundered funds through digital currency exchanges on behalf of the sanctioned Lazarus Group, a state-sponsored cybercrime organization affiliated with the hermit kingdom’s military intelligence agency.

The US Treasury Department has sanctioned three different Ethereum addresses that they believe are linked to the North Korea government. The department’s Office of Foreign Assets Control (OFAC) announced the sanctions recently , adding these addresses to its list of Specially Designated Nationals and Blocked Persons.

“Today, OFAC is publicly designating three individuals and six entities pursuant to E.O. 13810 for operating in the transportation or mining industries in North Korea, as well as for providing software, telecommunications, or other services to North Korea,” a press release about the sanctions reads. “These actions further advance U.S. efforts to maximize economic pressure on the Government of North Korea in response to the DPRK’s ongoing development of weapons of mass destruction and continued violations of UN Security Council resolutions.”

Today’s sanctions also add two Chinese nationals and one Russian national to the SDN list.

“The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating one individual and two entities for supporting North Korea’s illicit cyber activities and other destructive attacks. The Department of Justice has also unsealed charges against two Chinese nationals for laundering more than $100 million in cryptocurrency from North Korean cyber hacks,” a press release from the US Department of the Treasury states.

“Today’s actions are intended to stop the flow of illicit revenue to North Korea from overseas computer hacking operations and to counter the regime’s ongoing attempts to evade sanctions.”

According to the Treasury Department’s report, all nine individuals were involved with North Korean shipping or illicit financial activity through cryptocurrency exchanges. Lin Mingxue, Gao Song, and Hong Jinhua allegedly sent millions of dollars’ worth of ether (ETH) and bitcoin (BTC) from China into North Korea through multiple cryptocurrency exchanges.

The department’s Office of Foreign Assets Control (OFAC) said that it was imposing sanctions on the addresses in an attempt to disrupt ongoing efforts by North Korea to “launch cyberattacks and steal virtual currency to generate income.”

The Ethereum wallets are linked to these web-based platforms, at least one of which is known as Marine Chain. A company based out of Toronto has previously stated that they are trying to use blockchain technology to facilitate fractional ownership of ships, however the US Treasury claims that the project is actually a cover for North Korean military officials to raise cryptocurrency funding.

In a statement, the department said that these addresses were associated with “Marine Chain Token, a platform designed to allow ship owners and others in the maritime industry to tokenize vessels on a blockchain.” The company is a subsidiary of Marine Chain, which was also sanctioned by OFAC today.


The Treasury’s action blocks all property and interests in property these entities have within U.S. jurisdiction, and prohibits Americans from engaging in transactions with them.

“Treasury is taking action against digital currency exchange services used to launder stolen funds from North Korean cyberattacks,” Sigal Mandelker, under secretary of the Treasury for terrorism and financial intelligence, said in a statement. “Treasury will continue to implement existing sanctions against North Korea, and will take action to block and designate companies, ports, and vessels that facilitate illicit shipments and provide revenue streams to the DPRK.”

According to the department, “North Korean actors have used this platform to raise funds for the regime by issuing tokens backed by ownership interests in vessels.”

The department further noted that it had also sanctioned:


Jong Song Hwa and his companies Global Marine Networks Co. Ltd., Velmur Management Pte Ltd, Transatlantic Partners Pte Ltd and Velmur Pte Ltd for providing services for North Korea’s DPRK Shipping Corporation and Korea Kumbyol Trading Company;

Han Jang Su and his company Volasys Silver Star for helping North Korea’s Reconnaissance General Bureau; and Chosun Expo Joint Venture, a joint venture between China’s IT firm Xinhu Zhongbao Co. Ltd. and North Korean entity Rungrado General Trading Corporation.

Specifically,  US treasury OFAC has designated the North Korea linked  ethereum addresses 0x00e3b2ea0acfda8d0d0322a78a29a30f734cc1c8 and 0x32be343b94f860124dc4fee278fdcbd38c102d88 as property of the DPRK.

A blog post on the Treasury’s website states: “Treasury is taking action against North Korean hacking groups that have been perpetrating cyber-attacks to support illicit weapon and missile programs. We will continue to enforce existing U.S. sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”

The release also notes that the sanctions mark “the first time the United States has taken action against malicious cyber actors engaged in a range of malicious cyber-enabled activities on behalf of the Government of North Korea”

Although OFAC has taken similar actions against Bitcoin addresses in the past, including a 2018 move against two crypto addresses associated with Lazarus Group, a hacking entity identified as being controlled by North Korea’s Reconnaissance General Bureau.

In May 2018, an American man was arrested for allegedly laundering millions of dollars worth of bitcoin from North Korea using his personal Bitcoin wallet. The funds were laundered through Liberty Reserve, an online payment system which collapsed and was shut down in June 2014 after its founder pleaded guilty to money-laundering charges.

“Criminal actors should not be able to hide behind technology,” said Sigal Mandelker, Under Secretary for Terrorism and Financial Intelligence at OFAC. “Treasury will continue to enforce our sanctions, and we are making it explicitly clear that shipping oil to North Korea is prohibited.”

Affected by the sanctions are an individual named Aleksandr Yuryevich Kanashevsky, who is believed to be a Russian national residing in Moscow. He was designated as operating software development company Transnational IT Group JSC (Transit-Inform), which created and manages cryptocurrency exchange platform, according to the press release.

“The United States will continue to enforce existing sanctions against North Korea and will take action to block and designate companies, ports, and vessels that facilitate illicit shipments and provide revenue streams to the DPRK,” Sigal Mandelker, undersecretary for terrorism and financial intelligence, said in the statement.

According to a press release from OFAC, the addresses were allegedly related to Lazarus Group, a state-sponsored hacking group that was recently exposed as having stolen over $571 million in cryptocurrency since early 2017 through hacks, phishing campaigns, and other malicious schemes. Lazarus Group has also been tied to the development of malware used in the WannaCry ransomware attacks which affected computers worldwide in May 2017. The group has become known for its sophisticated and often destructive cyber-attacks, including the 2013 theft of hundreds of thousands of customer data records from Bangladesh Bank and the 2014 hack of Sony Pictures Entertainment that led to the leak of private emails and unreleased movies.

The three addresses were discovered using Chainalysis Reactor, an analytics solution that enables government agencies to investigate blockchain transactions without any prior knowledge of crypto wallets or cryptocurrencies involved in a given transaction. In the three cases reported on by CoinDesk, Chainalysis says the addresses are linked to users who have been previously identified for illicit activities involving cryptocurrency.

The Chainalysis research team has found a number of criminal and fraudulent bitcoin addresses in which funds were being moved from one address to another – most commonly for purposes such as money laundering or other illicit activity,” the company said in a statement Tuesday, October 30th, following publication of the report with CoinDesk, adding: “The study also reveals how criminals move their ill-gotten gains when they try to hide them by sending them to new wallets controlled by an intermediary. We also found that the same criminals are able to change wallet ownership with relative ease, often after just one week.”

In the past 7 months, the United States has enacted three rounds of sanctions against North Korea, which have significantly hindered the regime’s ability to conduct illicit financing. One of these rounds – the fourth round – targets several entities and individuals who are suspected of being involved in the proliferation of weapons of mass destruction, missile development, and information technology. This expansion reflects not only our commitment to hold North Korea accountable for its actions but also our resolve to cut off their ability to fund those activities in other ways.

US treasury OFAC also published an advisory on its website outlining some of the tactics used by North Korea hackers to target American citizens, businesses, and financial institutions. As part of that publication, OFAC included a list of linked addresses associated with North Korean cryptocurrency activity. Although we know the department employs the chainanalysis protocol, the Treasury Department did not release any details about the methods it will use to detect crypto-currency transactions or how it is going to share information on this issue, they have outlined what to look for when trying to determine if a company is acting as a front for Pyongyang