{ "id": "757364f2-5c2e-47c6-a347-b57c6c3ccfbb", "created_at": "2026-04-06T00:10:39.996029Z", "updated_at": "2026-04-10T13:11:38.787809Z", "deleted_at": null, "sha1_hash": "dedafade3e45ab841c252dd8c0e8cbe2a470346b", "title": "Treasury Targets DPRK’s International Agents and Illicit Cyber Intrusion Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 62172, "plain_text": "Treasury Targets DPRK’s International Agents and Illicit Cyber\r\nIntrusion Group\r\nPublished: 2026-02-13 · Archived: 2026-04-05 13:00:38 UTC\r\nAustralia, Japan, the Republic of Korea, and the United States \r\nSanction DPRK for its November 21 Satellite Launch\r\nWASHINGTON — Today, in coordination with foreign partners, the U.S. Department of the Treasury’s Office of\r\nForeign Assets Control (OFAC) sanctioned eight foreign-based Democratic People’s Republic of Korea’s (DPRK)\r\nagents that facilitate sanctions evasion, including revenue generation and missile-related technology\r\nprocurement that support the DPRK’s weapons of mass destruction (WMD) programs. Additionally, OFAC\r\nsanctioned cyber espionage group Kimsuky for gathering intelligence to support the DPRK’s strategic objectives. \r\nToday’s actions are in response to the DPRK’s November 21 claimed military reconnaissance satellite launch and\r\ndemonstrates the multilateral efforts of the United States and foreign partners to hinder the DPRK’s ability to\r\ngenerate revenue, procure materiel, and gather intelligence that advances the development of its WMD program\r\nand the unlawful export of arms and related materiel from the DPRK.\r\n “Today’s actions by the United States, Australia, Japan, and the Republic of Korea reflect our collective\r\ncommitment to contesting Pyongyang’s illicit and destabilizing activities,” said Treasury’s Under Secretary for\r\nTerrorism and Financial Intelligence Brian E. Nelson. “The DPRK’s use of overseas laborers, money launderers,\r\ncyber espionage, and illicit funding continue to threaten international security and our allies in the region. We will\r\nremain focused on targeting these key nodes in the DPRK’s illicit revenue generation and weapons proliferation.”\r\nDPRK ILLICIT ECONOMIC ACTIVITY\r\nToday’s actions target the DPRK’s access to revenue and weapons, generated through state-owned entities, banks,\r\nand trading companies, specifically through their globally deployed trade and bank representatives. These\r\nindividuals provide critical access to foreign technology vital to the DPRK’s domestic weapons program and\r\nenable DPRK revenue generation through access to the international financial system. A portion of the revenue\r\nfrom these activities has been funneled towards domestic WMD-related technology and missile systems.\r\nOFAC is designating eight individuals that are associated with U.S.-designated DPRK state-owned weapons\r\nexporters, financial institutions, and front companies including Green Pine Associated Corporation (Green Pine),\r\nForeign Trade Bank of the Democratic People’s Republic of Korea (FTB), KoryoCommercial Bank LTD. (KCB),\r\nKorea United Development Bank (KUDB), and Mansudae Overseas Project Group of Companies (MOP).\r\nDPRK Weapons Sales Representatives \r\nU.S. and UN-designated Green Pine is responsible for approximately half of DPRK arms and related materiel\r\nexports. The Reconnaissance General Bureau (RGB)-controlled Green Pine specializes in the production of\r\nhttps://home.treasury.gov/news/press-releases/jy1938\r\nPage 1 of 4\n\nmaritime military craft and armaments and has provided both technical assistance and weapons to Iranian defense-related firms. \r\nKang Kyong Il and Ri Sung Il are Tehran, Iran-based Green Pine representatives. Kang Kyong Il has\r\nattempted to sell Chinese-origin aluminum and Ri Sung Il has worked with other DPRK representatives to\r\nsell conventional weapons to foreign governments. Both Kang Kyong Il and Ri Sung Il have travelled to\r\nChina together on multiple occasions.\r\n Kang Phyong Guk is a Green Pine representative in Beijing, China and is a central liaison between Green\r\nPine and its overseas representatives.\r\nRi Sung Il, Kang Kyong Il, and Kang Phyong Guk are being designated pursuant to E.O. 13551 for acting or\r\npurporting to act, for or on behalf of, directly or indirectly, Green Pine, an entity that was included in the Annex to\r\nE.O. 13551.\r\nDPRK Financial Representatives\r\nThe DPRK continues to use agents and individuals associated with its state-owned entities and banks to access the\r\ninternational financial system to conduct illicit financial activity. They have long-standing networks of front or\r\nshell companies and use embassy personnel to move money and procure materiel for the DPRK’s WMD and\r\nballistic missile programs as well as to procure conventional weapons. \r\nSo Myong is the chief representative of FTB in Vladivostok, Russia and has facilitated financial transfers\r\non behalf of designated DPRK financial institutions and weapons trading entities and including\r\nrepresentatives, of the U.S.-designated Second Academy of Natural Sciences. So Myong is designated\r\npursuant to E.O. 13382 for having acted or purported to act for or on behalf of, directly or indirectly, FTB.\r\nChoe Un Hyok is a KUDB representative in Russia who has coordinated multiple payments to an entity\r\nsubordinate to the U.S. and UN-designated, Munitions Industry Department. Choe Un Hyok is designated\r\npursuant to E.O. 13722 for having acted or purported to act for or on behalf, of, directly or indirectly,\r\nKUDB.\r\nJang Myong Chol is a KCB representative in China that has facilitated transactions worth hundreds of\r\nthousands of dollars. Jang Myong Chol is designated, pursuant to E.O. 13810 for having acted or purported\r\nto act for on or on behalf of, directly or indirectly, KCB.\r\nDPRK Front Companies\r\nAdditionally, OFAC is designating two individuals that have generated revenue for the Government of North\r\nKorea and were previously designated by the European Union for generating revenue through the exportation of\r\nDPRK workers.\r\nChoe Song Chol and Im Song Sun have represented front companies for UN and U.S.-designated MOP.\r\nMOP was designated pursuant to E.O. 13722 for having engaged in, facilitated, or been responsible for the\r\nexportation of workers from North Korea [OFAC Press Release] \r\nChoe Song Chol and Im Song Sun are being designated pursuant to E.O. 13810 for being North Korean persons,\r\nincluding a North Korean person who has engaged in commercial activity that generates revenue for the\r\nhttps://home.treasury.gov/news/press-releases/jy1938\r\nPage 2 of 4\n\nGovernment of North Korea or the Worker’s Party of Korea.\r\nA CYBER ESPIONAGE UNIT WITH STRATEGIC SIGNIFICANCE\r\nActive since 2012, Kimsuky is subordinate to the UN- and U.S. designated Reconnaissance General Bureau\r\n(RGB), the DPRK’s primary foreign intelligence service. On August 30, 2010, OFAC designated the RGB by\r\nadding it to the annex of E.O. 13551. OFAC subsequently re-designated the RGB on January 2, 2015 pursuant to\r\nE.O. 13687 for being a controlled entity of the Government of North Korea. Malicious cyber activity associated\r\nwith the Kimsuky advanced persistent threat is also known in the cybersecurity industry as APT43, Emerald Sleet,\r\nVelvet Chollima, TA406, and Black Banshee.\r\nAlthough Kimsuky is primarily an intelligence collection entity, its cyber espionage campaigns directly support\r\nthe DPRK’s strategic and nuclear ambitions. Kimsuky primarily uses spear-phishing to target individuals\r\nemployed by government, research centers, think tanks, academic institutions, and news media organizations,\r\nincluding entities in Europe, Japan, Russia, South Korea, and the United States. Kimsuky employs social\r\nengineering to collect intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts affecting\r\nits interests by gaining illicit access to the private documents, research, and communications of their targets.\r\nKimsuky is being designated pursuant to E.O. 13687, for being an agency, instrumentality, or a controlled entity\r\nof the Government of North Korea.\r\nSANCTIONS IMPLICATIONS\r\nAs a result of today’s action, pursuant to E.O.s 13687, 13382, 13551, 13722, and 13810, all property and interests\r\nin property of the persons named above that are in the United States, or in the possession or control of U.S.\r\npersons, are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly,\r\n50 percent or more by one or more blocked persons are also blocked. \r\nUnless authorized by a general or specific license issued by OFAC, or otherwise exempt, OFAC’s regulations\r\ngenerally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any\r\nproperty or interests in property of designated or otherwise blocked persons. The prohibitions include the making\r\nof any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person or the\r\nreceipt of any contribution or provision of funds, goods, or services from any such person.\r\nIn addition, persons that engage in certain transactions with the individuals or entities designated today may\r\nthemselves be exposed to designation. Furthermore, any foreign financial institution that knowingly facilitates a\r\nsignificant transaction or provides significant financial services for any of the individuals or entities designated\r\ntoday could be subject to U.S. correspondent or payable-through account sanctions. \r\nThe power and integrity of OFAC sanctions derive not only from its ability to designate and add persons to the\r\nSDN List, but also from its willingness to remove persons from the SDN List consistent with the law. The ultimate\r\ngoal of sanctions is not to punish, but to bring about a positive change in behavior.  For information concerning\r\nthe process for seeking removal from an OFAC list, including the SDN List, please refer to OFAC’s Frequently\r\nAsked Question 897.\r\nhttps://home.treasury.gov/news/press-releases/jy1938\r\nPage 3 of 4\n\nFor additional information on the DPRK Cyber Activities refer to the Guidance on the North Korean Cyber\r\nThreat.\r\nFor additional information on Kimsuky’s recent social engineering operations refer to the Joint Cyber Advisory\r\nDPRK Using Social Engineering to Enable Hacking, its tactics, techniques and procedures Joint Cybersecurity\r\nAdvisory.\r\nFor additional information on DPRK illicit finance and procurement activities see the North Korea Ballistic\r\nMissile Procurement Advisory and the FinCEN Advisory on North Korea’s Use of the International Financial\r\nSystem.\r\nFor detailed information on the process to submit a request for removal from an OFAC sanctions list, please click\r\nhere.\r\nFind identifying information on the individuals sanctioned today here.\r\n###\r\nSource: https://home.treasury.gov/news/press-releases/jy1938\r\nhttps://home.treasury.gov/news/press-releases/jy1938\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://home.treasury.gov/news/press-releases/jy1938" ], "report_names": [ "jy1938" ], "threat_actors": [ { "id": "3917d167-449d-423a-89db-41f49716a6d7", "created_at": "2023-03-04T02:01:54.083975Z", "updated_at": "2026-04-10T02:00:03.355386Z", "deleted_at": null, "main_name": "TA406", "aliases": [], "source_name": "MISPGALAXY:TA406", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c306e698-3b48-46d7-b571-3dfa0c828379", "created_at": "2023-05-16T02:02:09.957677Z", "updated_at": "2026-04-10T02:00:03.364345Z", "deleted_at": null, "main_name": "APT43", "aliases": [], "source_name": "MISPGALAXY:APT43", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434239, "ts_updated_at": 1775826698, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dedafade3e45ab841c252dd8c0e8cbe2a470346b.pdf", "text": "https://archive.orkl.eu/dedafade3e45ab841c252dd8c0e8cbe2a470346b.txt", "img": "https://archive.orkl.eu/dedafade3e45ab841c252dd8c0e8cbe2a470346b.jpg" } }