The U.S. Treasury has imposed sanctions on two individuals and four organizations linked to a North Korea-operated IT worker scheme accused of infiltrating cryptocurrency companies to exploit them.
On Tuesday, the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against North Korean national Song Kum Hyok, who is accused of stealing personal information from U.S. citizens to create false identities for foreign IT workers seeking jobs at American firms.
OFAC also sanctioned Russian national Gayk Asatryan, alleging that he employed dozens of North Korean IT workers through his companies under long-term contracts established with North Korean trading firms beginning in 2024.
An increasing number of fraudulent tech workers linked to North Korea, officially known as the Democratic People’s Republic of Korea (DPRK), have been expanding their infiltration efforts globally. A report from Google in April revealed that the infrastructure supporting these operations has now reached a worldwide scale.
“Treasury remains committed to using every available tool to disrupt the Kim regime’s attempts to evade sanctions through digital asset theft, impersonation of U.S. citizens, and malicious cyber activity,” said Treasury Deputy Secretary Michael Faulkender.
Thousands of North Korean IT workers target wealthier nations to help finance the country’s missile program
According to the Office of Foreign Assets Control (OFAC), North Korea is deploying a global workforce of thousands of highly skilled IT professionals to generate revenue for its ballistic missile programs, with most of these workers operating out of China and Russia. These individuals primarily target employers in wealthier nations, leveraging both mainstream and industry-specific networking platforms to secure positions.
As a result of the newly announced sanctions, all U.S.-based assets linked to Gayk Asatryan, Song Kum Hyok, and the four Russian entities named have been frozen. Additionally, U.S. individuals and businesses are now prohibited from engaging in any financial or commercial transactions with the sanctioned parties, with violations subject to civil and criminal penalties.
North Korea shifting away from hacks
North Korea has long been known for its high-profile cyberattacks, particularly through groups like the Lazarus Group, and is behind some of the largest cryptocurrency hacks in history—including the $1.5 billion Bybit exploit in February.
However, blockchain intelligence firm TRM Labs reported Tuesday that North Korean tactics are beginning to evolve.
“Although exchange breaches are still a major threat, DPRK-linked operations are increasingly focusing on deception-based methods to generate revenue, such as infiltrating companies through IT workers,” the firm stated.
TRM Labs estimates North Korea-aligned bad actors are responsible for $1.6 billion of the $2.1 billion stolen across 75 crypto hacks and exploits in the first half of 2025.
US Targets North Korean IT Workers in Sanctions Crackdown
U.S. authorities have intensified their efforts this year to dismantle fraudulent schemes involving North Korean IT workers.
On June 30, four North Korean nationals were charged with wire fraud and money laundering after allegedly posing as remote employees at blockchain companies based in the U.S. and Serbia.
Earlier, on June 5, the U.S. Department of Justice announced efforts to seize $7.74 million in frozen cryptocurrency, which was allegedly earned by North Korean IT workers using false identities while working as remote contractors for blockchain firms.
