{ "id": "132f555a-8e32-464a-a20e-635a8c9a8960", "created_at": "2026-04-06T00:15:09.151898Z", "updated_at": "2026-04-10T03:38:20.458575Z", "deleted_at": null, "sha1_hash": "d830b326d3b7fcf805e9519ebdd9d959f98d62d6", "title": "Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 155142, "plain_text": "Treasury Sanctions Individuals Laundering Cryptocurrency for\r\nLazarus Group\r\nPublished: 2026-02-13 · Archived: 2026-04-05 19:45:42 UTC\r\nWASHINGTON – The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) today\r\nsanctioned two Chinese nationals involved in laundering stolen cryptocurrency from a 2018 cyber intrusion\r\nagainst a cryptocurrency exchange. This cyber intrusion is linked to Lazarus Group, a U.S.-designated North\r\nKorean state-sponsored malicious cyber group. Specifically, OFAC is designating 田寅寅, Tian Yinyin (Tian), and\r\n李家东, Li Jiadong (Li), for having materially assisted, sponsored, or provided financial, material, or\r\ntechnological support for, or goods or services to or in support of, a malicious cyber-enabled activity. Tian and Li\r\nare also being designated for having materially assisted, sponsored or provided financial, material, or\r\ntechnological support for, or goods or services to or in support of, Lazarus Group.\r\n“The North Korean regime has continued its widespread campaign of extensive cyber-attacks on financial\r\ninstitutions to steal funds,” said Secretary Steven T. Mnuchin. “The United States will continue to protect the\r\nglobal financial system by holding accountable those who help North Korea engage in cyber-crime.”\r\nTian and Li’s Activities\r\nThe Democratic People’s Republic of Korea (DPRK) trains cyber actors to target and launder stolen funds from\r\nfinancial institutions. Tian and Li received from DPRK-controlled accounts approximately $91 million stolen in\r\nan April 2018 hack of a cryptocurrency exchange (referred to hereinafter as “the exchange”), as well as an\r\nadditional $9.5 million from a hack of another exchange. Tian and Li transferred the currency among addresses\r\nthey held, obfuscating the origin of the funds.\r\nIn April 2018, an employee of the exchange unwittingly downloaded DPRK-attributed malware through an email,\r\nwhich gave malicious cyber actors remote access to the exchange and unauthorized access to customers’ personal\r\ninformation, such as private keys used to access virtual currency wallets stored on the exchange’s servers. Lazarus\r\nGroup cyber actors used the private keys to steal virtual currencies ($250 million dollar equivalent at date of theft)\r\nfrom this exchange, accounting for nearly half of the DPRK’s estimated virtual currency heists that year. \r\nTian ultimately moved the equivalent of more than $34 million of these illicit funds through a newly added bank\r\naccount linked to his exchange account. Tian also transferred nearly $1.4 million dollars’ worth of Bitcoin into\r\nprepaid Apple iTunes gift cards, which at certain exchanges can be used for the purchase of additional Bitcoin.\r\nhttps://home.treasury.gov/news/press-releases/sm924\r\nPage 1 of 3\n\nTian and Li are being designated pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757.\r\nAdditionally, they are being designated pursuant to E.O. 13722.\r\nOFAC closely coordinated today’s action with the U.S. Attorney’s Office for the District of Columbia and the\r\nInternal Revenue Service’s Criminal Investigation Division. Treasury supports the concurrent law enforcement-related actions taken against these and additional individuals and accounts.\r\nAs a result of today’s action, all property and interests in property of these individuals that are in the United States\r\nor in the possession or control of U.S. persons must be blocked and reported to OFAC. OFAC’s regulations\r\ngenerally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the\r\nUnited States) that involve any property or interests in property of blocked or designated persons.\r\nIn addition, persons that engage in certain transactions with the individuals designated today may themselves be\r\nexposed to designation. Furthermore, any foreign financial institution that knowingly facilitates a significant\r\ntransaction or provides significant financial services for any of the individuals designated today could be subject\r\nto U.S. correspondent account or payable-through sanctions.\r\nNorth Korea’s History of Malicious Cyber-Enabled Activities\r\nOn September 13, 2019, Treasury identified North Korean hacking groups commonly known within global cyber\r\nsecurity private industry as “Lazarus Group,” “Bluenoroff,” and “Andariel” as agencies, instrumentalities, or\r\ncontrolled entities of the Government of North Korea, pursuant to E.O. 13722, based on their relationship to the\r\nReconnaissance General Bureau (RGB), North Korea’s primary intelligence agency. Lazarus Group, Bluenoroff,\r\nand Andariel are controlled by the U.S.- and United Nations (UN)-designated RGB.\r\nNorth Korea’s malicious cyber activity is a key revenue generator for the regime, from the theft of fiat currency at\r\nconventional financial institutions to cyber intrusions targeting cryptocurrency exchanges. The August 2019 UN\r\nSecurity Council 1718 Committee Panel of Experts report estimates that North Korea had attempted to steal as\r\nmuch as $2 billion, of which $571 million is attributed to cryptocurrency theft. This revenue allows the North\r\nKorean regime to continue to invest in its illicit ballistic missile and nuclear programs.\r\nGiven the illicit finance risk that cryptocurrency and other digital assets pose, in June 2019 the Financial Action\r\nTask Force (FATF) amended its standards to require all countries to regulate and supervise such service providers,\r\nhttps://home.treasury.gov/news/press-releases/sm924\r\nPage 2 of 3\n\nincluding exchangers, and to mitigate against such risks when engaging in cryptocurrency transactions. Virtual\r\nasset service providers and traditional institutions should remain vigilant and alert to substantial changes in\r\ncustomers’ activities, as their business may be used to facilitate the transfer of stolen proceeds. The United States\r\nis particularly concerned about platforms that provide anonymous payment and storage functionality without\r\ntransaction monitoring, suspicious activity reporting, or customer due diligence, among other obligations.\r\nDPRK cyber actors actively target the cryptocurrency community and are known to employ a variety of fake\r\ncryptocurrency trading programs that contain malware. In April 2018, the Lazarus Group leveraged previously\r\nused malware code from the now defunct cryptocurrency application Celas Trade Pro — software both developed\r\nand offered by the Lazarus Group registered website called Celas Limited. Creating illegitimate websites and\r\nmalicious software to conduct phishing attacks against the virtual currency sector is a pattern previously seen from\r\nNorth Korean cyber criminals.\r\nDPRK malicious cyber proceeds are often transferred to cryptocurrency exchanges and peer-to-peer marketplaces\r\nwith negligible customer screening compliance programs, or individual peer-to-peer or over-the-counter traders\r\noperating on exchanges that do not screen their customers. Stolen cryptocurrency may be layered using various\r\nschemes, traded for fiat currency, deposited in bank accounts, and traded for gift cards. Proceeds from DPRK\r\nmalicious cyber activities often end up at Chinese financial institutions.\r\nDelisting of Two Russian Entities\r\nIn addition to today’s designation, OFAC is delisting two Russian entities, Independent Petroleum Company (IPC)\r\nand its subsidiary AO NNK-Primornefteproduct (NNK-P). IPC was originally designated on June 1, 2017\r\npursuant to E.O. 13722 for operating in the transportation sector in North Korea. IPC shipped over $1 million\r\nworth of petroleum products to North Korea. Following this designation, IPC’s parent company, Alliance Oil\r\nCompany (AOC), ceased all export activities and instituted a global compliance program. Treasury recognizes the\r\nactions that IPC, NNK-P, and parent company AOC have taken to ensure they do not engage in activity that may\r\nbenefit North Korea.\r\nU.S. sanctions need not be permanent; sanctions are intended to bring about a positive change of behavior. The\r\nUnited States has made clear that the removal of sanctions is available for persons designated under North Korea-related authorities, who take concrete and meaningful actions to stop enabling North Korea’s sanctions\r\ncircumvention. As a result of today’s delisting action, all property and interests in property that had been blocked\r\nas a result of IPC and NNK-P’s respective designations are unblocked, and all otherwise lawful transactions\r\ninvolving U.S. persons and these two entities are no longer prohibited. \r\nRead identifying information related to today’s action here.\r\n####\r\nSource: https://home.treasury.gov/news/press-releases/sm924\r\nhttps://home.treasury.gov/news/press-releases/sm924\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://home.treasury.gov/news/press-releases/sm924" ], "report_names": [ "sm924" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434509, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d830b326d3b7fcf805e9519ebdd9d959f98d62d6.pdf", "text": "https://archive.orkl.eu/d830b326d3b7fcf805e9519ebdd9d959f98d62d6.txt", "img": "https://archive.orkl.eu/d830b326d3b7fcf805e9519ebdd9d959f98d62d6.jpg" } }