Building on the growing body of work on the threat posed by North Korea’s (Democratic People’s Republic of Korea or DPRK) IT workforce, the Multilateral Sanctions Monitoring Team (MSMT), an 11-nation consortium tracking sanctions violations and evasions, recently published a detailed report on DPRK’s use of cyber operations and IT labor activities to circumvent UN sanctions.

Drawing on insights from member state submissions, private-sector intelligence and open-source resources, the report presents one of the most comprehensive overviews of the DPRK’s cyber ecosystem. From mapping the technical infrastructure, global hiring patterns, common Tactics, Techniques and Procedures (TTPs), cryptocurrency laundering mechanisms and the operational overlaps between cyber units and IT teams linked to UN designated entities.

However, a key takeaway from the report emerges from this very overlap. The report places the IT worker issue within the broader paradigm of DPRK cyber operations, rather than a distinct and self-sustaining economic activity. This framing, while understandable, risks masking the financial reasoning and organizational structure that make IT worker operations uniquely persistent but also both a malicious threat vector and a strategic revenue-generation business model.

Unique Takeaways on IT Workers

First, the report’s examination of the organizational arrangements including the possible hierarchy and division of labor across state, party and military entities, offers a structured framework. This helps reconcile the volume of information scattered across open-source investigations, private-sector reports, and successive UN Panel of Experts reports. It also contextualises the IT worker apparatus within this broader bureaucratic machinery designated by UN sanctions. Furthermore, identification of front-company structures and named entities clarifies where IT workers sit within this ecosystem and how their output contributes to revenue-generation.

Figure 1. DPRK Cyber Actor and IT Worker Ties to UN Designated Entities. (Source: MSMT report on The DPRK’s Violation and Evasion of UN Sanctions through Cyber and Information Technology Worker Activities)

Second, the report provides a more concrete sense of the scale of DPRK IT worker operations and the revenue they generate. Beyond the broad earnings ranges cited in government advisories, the MSMT estimates that workers typically earn between $3,500 and $10,000 per month, with high performers earning substantially more.

A particularly significant contribution is its documentation of cases, supported by private-sector attributions, demonstrating that some IT workers have played direct operational roles in cryptocurrency thefts. This is inclusive of the probable role in the Munchables incident in 2024, the Onyx DAO exploit and the BTCTurk breach. This challenges the existing view that the functions of DPRK IT workers are limited to software development or freelance IT work. Instead, it highlights the dual nature of their activities involving both malicious and revenue-generation elements.

Third, the report provides detailed case studies of front companies including their corporate structures, physical locations, and operational functions. These cases show the diversity of DPRK IT worker placements, spanning healthcare systems, online gambling platforms, animation studios, and blockchain-related services. Accompanying this analysis of overseas IT workers is an examination of domestic IT facilities situated in Rason (Rajin-Sonbong), Sinuiju, and Pyongyang. This information suggests the existence of training hubs and operational centres that potentially coordinate overseas deployments and manage revenue flows.

Fourth, the report provides a breakdown of IT worker TTPs. It categorizes IT worker activity into three operational phases: 1) establishing a persona, including identity laundering, credential fabrication, and the procurement of freelancer accounts; 2) applying for work, leveraging brokers, compromised HR accounts, and targeted applications to industries with weak onboarding controls; and 3) receiving and exfiltrating funds through payment processors, crypto rails, mixing services and over-the-counter (OTC) brokers. While these TTPs have been documented before, the MSMT’s structured explanation consolidates distinct indicators into a coherent operational model. Thus, making it easier for governments, payment platforms, and financial institutions to identify and interdict DPRK IT worker activity.

Where the Report Falls Short

One major shortcoming of the report is its treatment of DPRK IT workers as part of the larger DPRK cyber ecosystem. By viewing IT workers as an extension of malicious cyber activity, the report blurs important distinctions between the financial, organizational, and operational aspects that govern their deployment. This approach may conflate two related but sometimes distinct ecosystems, including those involved in malicious acts and those focused on revenue-generation.

The report acknowledges that IT worker revenue is routed back to parent entities involved in weapons development, production, domestic infrastructure projects, and consumer-goods procurement. However, it stops short of explicitly addressing whether revenue generation is the primary mission of these IT workers or whether they increasingly serve a hybrid role blending IT work with opportunistic malicious activity.

The Munchables incident illustrates this ambiguity. The MSMT notes that the individuals involved were potentially IT workers who exploited smart contracts in the Non-Fungible Tokens (NFT) game Munchables, stealing 17,413.96 Ethereum (valued at $62.5 million at the time). However, the subsequent operational failures highlight their limitations as they struggled to move the stolen assets off the Blast network and demonstrated little proficiency in laundering or obfuscating funds. Their skill set aligned more with smart-contract development than with on-chain obfuscation typical of sophisticated cyber threat units. This suggests a more complex ecosystem in which IT workers may engage in financially motivated cybercrime, but not necessarily with the same intent or technical competency as designated DPRK cyber units.

Adding to this complexity is the report’s brief acknowledgement that malicious cyber operators sometimes collaborate with IT worker teams. However, it stops short of highlighting how these collaborations are structured, whether they are ad hoc or systematic, or how such partnerships reshape the risk profile of remote IT workers. This is particularly relevant given the growing number of government advisories warning that DPRK IT workers pose not only sanctions evasion risks but also insider-threat, extortion, and data-theft risks to employers.

A second area where the report falls short is in its treatment of financial network of IT workers. While the TTPs provide a clear depiction of how DPRK IT workers fabricate identities and secure remote roles, the information supporting IT worker laundering methodology is more scattered and non-cohesive when examining how funds are received, moved, and eventually consolidated.

To its credit, the report does offer extensive case studies. For example, the report notes IT workers stationed overseas relying on third-party purchases of PayPal USD (PYUSD), incremental conversions into USDT/USDC under daily limits, and acquisition of fraudulently obtained automated clearing house (ACH)-enabled bank accounts through facilitators. The report also notes that some IT worker teams have begun establishing shell companies including US registered entities to receive payments directly, while another case details a DPRK official using China UnionPay cards tied to Chinese banks to conduct transactions on behalf of workers, including for a China-based entity, 313 General Bureau IT worker. This gap is further notable as the report documents cases of IT worker financial operations in jurisdictions as diverse as China, Russia, the UAE, Pakistan, Argentina, Ukraine, Vietnam, the US, and Japan.

In short, the report provides an extensive inventory of laundering techniques that demonstrate the evolution of its tradecraft. However, they do not amount to a systematic mapping of how these elements connect into a coherent financial network as they present isolated behaviours. Without establishing these linkages, it is difficult to determine which nodes are most exploited, which intermediaries are fungible, and where the system is most vulnerable to disruption. Policymakers are left with snapshots of illicit transactions rather than an understanding of the structural flows that sustain DPRK IT worker operations. Thus, making it difficult to design enforcement actions capable of mitigating it at scale.

A final shortcoming relates to the practical utility of the report. The impact of the MSMT’s findings hinges on how effectively governments, platforms, and financial institutions can operationalize the findings. While the report provides clear descriptions of DPRK’s cryptocurrency-laundering methods, it does not fully explain IT workers’ roles in these processes or prioritise the riskiest nodes within the network. In effect, the usefulness of the MSMT’s work depends heavily on the analytical capacity of its reader to stitch together disparate case studies, connect it with national advisories and recommendations suggested along with designing enforcement mechanisms. This places an unreasonable burden on already resource-constrained jurisdictions and increases the likelihood that the findings are unevenly applied, partially implemented, or even misinterpreted in ways that might narrow the policy response.

Conclusion

The MSMT report is, without question, one of the most detailed assessments of DPRK’s cyber operations and its IT worker apparatus. It brings together insights that several open-source investigations and private-sector reports have only captured in fragments, and it significantly strengthens the evidentiary base for policymakers, compliance teams, and researchers.

But the report’s value is shaped by its limitations. Its gaps, particularly around the financial networks sustaining IT worker operations and the blurred lines between cyber units and revenue-generation teams, directly influence the utility of its findings. These shortcomings do not diminish the report’s contribution, but they do highlight where additional work is needed.

This is where civil society, investigative researchers, and compliance specialists can play a key role. Organizations with deep familiarity in DPRK’s cyber, procurement, and illicit-finance ecosystems are well positioned to bridge the divide between detailed case studies and the system-level maps needed for effective countermeasures. They can translate the MSMT’s findings into practical guidance, targeted outreach, and capacity-building for the jurisdictions and institutions most exposed to these risks.

If the MSMT report is to reach its full potential, it will require precise follow-up analysis work performed by civil society institutions to identify the blind spots in organizational controls, strengthen sanctions compliance, and help mitigate the very vulnerabilities that enable DPRK IT worker operations to thrive.