As part of its ongoing efforts to disrupt North Korea’s attempts to infiltrate U.S. companies, the U.S. Treasury Department has imposed sanctions on two individuals and four entities linked to malicious IT operations targeting cryptocurrency firms.
The Treasury’s Office of Foreign Assets Control (OFAC) sanctioned North Korean national Song Kum Hyok and Russian national Gayk Asatryan for facilitating the employment of North Korean IT workers in the crypto sector.
Song Kum Hyok is reportedly connected to North Korea’s Reconnaissance General Bureau (RGB) and its cyberwarfare unit, Andariel. He is accused of using stolen identities of U.S. citizens to create fake personas, enabling DPRK IT workers abroad to obtain remote jobs in crypto-related companies. A portion of their earnings was allegedly funneled back to support North Korea’s weapons programs.
Gayk Asatryan, meanwhile, is said to have employed dozens of North Korean IT workers through his Russian firms, Asatryan LLC and Fortuna LLC, under contracts with North Korean state trading companies. These companies—Korea Songkwang Trading Corporation and Korea Saenal Trading Corporation—have also been sanctioned for deploying DPRK workers overseas to generate revenue for the regime.
The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has stated that the latest sanctions are part of a broader strategy to disrupt North Korea’s deployment of thousands of skilled IT workers—primarily operating out of China and Russia—who use fake identities and forged documents to secure jobs in crypto and tech firms.
Once inside these companies, the workers reportedly use freelance platforms and cryptocurrency exchanges to receive and launder funds, funneling them back to the North Korean regime.
“These workers are instructed to deliberately obscure their identities, locations, and nationalities,” the Treasury said, noting they often rely on false personas, proxy accounts, stolen identities, and forged documentation. They also exploit online freelance marketplaces and crypto platforms to mask the movement of their earnings.
Experts say North Korea’s cyber tactics have evolved. While past efforts focused on high-profile hacks—often attributed to groups like Lazarus—the regime now increasingly employs stealthy, deception-based approaches to embed operatives within legitimate companies.
Blockchain investigator ZachXBT estimates that up to 920 North Korean IT workers may have infiltrated roles across the digital asset industry, earning more than $16 million in payroll from unsuspecting employers.
In response to the growing threat, U.S. authorities have intensified efforts to dismantle the networks enabling these schemes. The Department of Justice has taken the lead on several fronts, filing criminal charges against DPRK-linked operatives and pursuing asset forfeiture actions targeting millions in illicit crypto earnings.
