The Multilateral Sanctions Monitoring Team (MSMT) is an 11‑country mechanism, created in October 2024 after Russia’s veto ended the UN 1718 Panel of Experts, to investigate and publicly report violations and evasion of UN Security Council sanctions on North Korea, especially related to weapons of mass destruction (WMD), missiles, and associated financing (including cyber and IT‑worker activity). The participating states are: Australia, Canada, France, Germany, Italy, Japan, the Netherlands, New Zealand, the Republic of Korea (South Korea), the United Kingdom, and the United States.
Public MSMT statements do not publish an exhaustive list of specific resolutions, but they repeatedly say North Korea’s cyber operations and IT‑worker schemes violate and evade “relevant” DPRK‑related UN Security Council resolutions, especially those that: (1) impose an asset freeze on designated DPRK entities (notably UNSCR 1718 (2006)); and (2) prohibit overseas DPRK labor and related revenue‑generating activities (for example UNSCR 2371 (2017), 2375 (2017), and 2397 (2017)). MSMT communiqués explicitly cite UNSCR 1718’s asset‑freeze provisions as being violated by DPRK intelligence organs conducting these operations.
DPRK IT workers based abroad secretly work for foreign companies (often via online freelancing platforms or front firms), earning salaries in hard currency, which they are required to remit back to the North Korean state. According to the MSMT and US Treasury, these workers: (1) pose as non‑North Korean nationals (using forged or borrowed identities, VPNs, and front companies); (2) win contracts in fields like software development, blockchain, mobile apps, and AI; (3) route payments through foreign bank accounts, crypto wallets, or money‑service businesses controlled by DPRK facilitators; and (4) have a large portion of their earnings confiscated by DPRK agencies, which channel the funds into WMD and missile programs alongside proceeds of cyber‑enabled theft.
Over‑the‑counter (OTC) crypto traders in China typically help DPRK operators cash out stolen cryptocurrency by:
Investigators attribute crypto thefts to DPRK in two main ways: • Blockchain and technical forensics: Firms and governments analyze on‑chain patterns (re‑used wallets, timing, transaction flows, use of particular mixers/bridges) plus malware, infrastructure, and phishing techniques that match known DPRK groups like Lazarus and Kimsuky. Clusters of addresses are labeled as DPRK‑linked and reused across operations. • Intelligence and law‑enforcement data: Arrests, seized servers, and classified signals/human intelligence help confirm which state actors control given wallets or infrastructure.
Dollar amounts are estimated by tracing all transfers from a hacked entity to identified attacker‑controlled wallets and valuing the assets at the time they were moved or laundered; firms such as Chainalysis, along with UN and MSMT analysts, cross‑check these flows to produce loss totals (e.g., the multibillion‑dollar figures cited for 2024–25 DPRK hacks).
When another state is found to be enabling DPRK sanctions evasion via cyber means, the United States and other UN members generally rely on national and collective measures rather than new UN sanctions (which can be vetoed). Tools include: • Unilateral or coordinated sanctions: Designating foreign banks, companies, facilitators, and individuals that launder DPRK cyber proceeds or host DPRK IT workers; freezing assets and cutting them off from the US and allied financial systems. • Criminal and civil enforcement: Indicting hackers, money‑launderers, and complicit intermediaries; seizing crypto and fiat assets linked to DPRK operations; and using civil forfeiture. • Diplomatic démarches and pressure: Formally protesting to the host government, publishing attributions and advisories to raise reputational costs, and threatening secondary sanctions against entities that continue to enable DPRK activity. • Regulatory and technical cooperation: Sharing intelligence, indicators of compromise, and typologies with other governments and with the private sector to improve enforcement of existing UNSCRs.
To reduce exposure to DPRK‑style intrusions and fraud, companies and crypto platforms can: • Strengthen cybersecurity: Implement multi‑factor authentication, strict access controls, network segmentation, prompt patching, phishing‑resistant login methods, and robust monitoring for unusual logins and transfers. • Harden crypto custody: Use hardware security modules and multi‑sig wallets; keep most assets in offline cold storage; enforce withdrawal limits, time‑locks, and manual review of large or anomalous transfers. • Enhance vetting and compliance: Conduct rigorous KYC/AML checks, screen customers and counterparties against sanctions lists and DPRK red‑flags, and scrutinize remote IT hires or contractors for signs of North Korean origin (VPN‑masked locations, reused identities, mismatched documents). • Share and use threat intelligence: Consume up‑to‑date indicators of compromise and typologies from governments and reputable cybersecurity firms, participate in information‑sharing groups, and rehearse incident‑response plans tailored to DPRK tactics.