Key Takeaways:
On-chain researcher ZachXBT has disclosed data from an internal payment server used by North Korean IT workers, revealing more than $3.5 million in cryptocurrency payments across 390 accounts between December 2025 and February 2026.
"This data was provided by an anonymous source and sheds light on the scale of crypto payments flowing to IT workers from the sanctioned state," ZachXBT said in a statement accompanying the data release.
The leaked server data detailed payments to individuals and entities under sanction by the U.S. Office of Foreign Assets Control (OFAC), including the entity Sobaeksu. One associated Tron payment address was frozen by Tether in December 2025, confirming parts of the dataset and highlighting active measures by stablecoin issuers to combat illicit finance.
The disclosure places increased pressure on cryptocurrency exchanges and financial platforms to tighten their compliance and transaction monitoring frameworks. The findings provide concrete evidence of how North Korea leverages digital assets to bypass international sanctions, likely leading to intensified scrutiny from global regulators on the crypto industry's role in money laundering and terrorism financing.
The revelations serve as a critical alert for virtual asset service providers (VASPs). Regulators, particularly in the United States, are expected to increase their focus on platforms that may be facilitating payments to sanctioned North Korean entities. The link to an OFAC-sanctioned group and the subsequent action by Tether demonstrates that both government bodies and major industry players are actively monitoring and enforcing sanctions. This event may trigger a new wave of compliance requirements, forcing exchanges to invest more heavily in blockchain analytics and real-time transaction screening tools to avoid facilitating illicit transactions and facing potential penalties themselves.
This article is for informational purposes only and does not constitute investment advice.
