Vitaliy Sergeyevich Andreyev (Russian: Виталий Сергеевич АНДРЕЕВ) is a Russian national sanctioned by the U.S. Department of the Treasury for his role in a fraudulent scheme involving overseas information technology (IT) workers from the Democratic People’s Republic of Korea (DPRK). He was identified for facilitating financial transactions that supported a North Korean company linked to the country's defense ministry. ^{[1] [2] [6]}

Activities Leading to Sanctions

Andreyev was involved in a network that generated revenue for the DPRK government through the deployment of skilled IT workers abroad. These workers would often use fraudulent documents and stolen identities to gain employment at companies, including those in the United States, with a significant portion of their earnings being repatriated to fund North Korea's weapons of mass destruction and ballistic missile programs. ^{[1] [4]}

According to the U.S. Treasury, Andreyev worked directly with Kim Ung Sun, a Russia-based DPRK economic and trade consular official, to facilitate financial transfers for Chinyong Information Technology Cooperation Company. Chinyong, which was previously sanctioned by the U.S. in 2023, is an entity associated with the DPRK's defense ministry that employs IT workers in Russia and Laos. Starting in at least December 2024, Andreyev assisted in multiple transactions totaling nearly $600,000 by converting cryptocurrency into U.S. dollar cash and transferring the funds to the North Korean company. ^{[1] [2] [4]}

Blockchain analysis by the firm Elliptic revealed further details about the cryptocurrency transactions. A Bitcoin address associated with Andreyev received over $600,000, with funds traced back to the June 2023 exploit of Atomic Wallet, an incident attributed to the North Korean hacking syndicate known as the Lazarus Group. The analysis also showed that the funds moved through cross-chain bridges, a common tactic used by North Korean actors to obscure the origin and flow of illicitly obtained assets. ^[3]

A report from the AI company Anthropic, released on the same day as the sanctions, stated that its products had been used by North Korean IT workers to help secure and maintain remote employment at Fortune 500 technology companies. ^[4]

U.S. Sanctions

On August 27, 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Vitaliy Sergeyevich Andreyev for sanctions pursuant to Executive Order 13687. The designation was for having "materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, Chinyong," which was already a sanctioned entity. ^[1]

The OFAC Specially Designated Nationals (SDN) list provides specific identifying information for Andreyev, including his date of birth (September 29, 1980), place of birth (Vladivostok, Russia), Russian Tax ID number (253908966176), and a Bitcoin address (1HmqvgSXUVES1jn4TQPzk9dxo1NE8wim2T). The designation also specifies that he is subject to secondary sanctions risks under the North Korea Sanctions Regulations. ^[6]

The action was part of a broader set of designations targeting the DPRK IT worker network. Also sanctioned on the same day were Kim Ung Sun; Shenyang Geumpungri Network Technology Co., Ltd, a Chinese front company for Chinyong that has reportedly earned more than $1 million since 2021; and the DPRK-based Korea Sinjin Trading Corporation, which operates under North Korea's Ministry of People’s Armed Forces General Political Bureau. ^{[1] [5] [4]}

The Treasury stated that the sanctions were part of a whole-of-government effort to counter North Korea's revenue generation schemes, in coordination with allies and partners. The action came one day after the U.S. State Department and officials in Japan and South Korea held a forum in Tokyo to address the IT worker threat. As part of this collaboration, the Department of State and the foreign ministries of South Korea and Japan also issued a joint statement on the dangers posed by the North's IT workers. ^{[5] [4]} In a statement regarding the action, Under Secretary of the Treasury for Terrorism and Financial Intelligence John Hurley said, "The North Korean regime continues to target American businesses through fraud schemes involving its overseas IT workers, who steal data and demand ransom. Under President Trump, Treasury is committed to protecting Americans from these schemes and holding the guilty accountable." ^{[1] [5]}

As a result of the sanctions, all property and interests in property of Andreyev that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. The regulations generally prohibit all transactions by U.S. persons that involve any property or interests in property of designated individuals. Violations can result in civil or criminal penalties. ^{[1] [2]}