U.S. Sanctions North Korean Hacker for Remote IT Worker Scheme

U.S. Sanctions North Korean and Russian Actors for Running Global Fraudulent IT Worker Scheme Using Stolen Identities and Cryptocurrency

  • The U.S. Treasury sanctioned a North Korean national linked to a fraudulent remote IT worker scheme.
  • Sanctions target individuals and companies from North Korea and Russia accused of helping North Koreans get jobs with U.S. companies under false identities.
  • The action follows law enforcement seizures of financial accounts, websites, and computers connected to the scheme.
  • North Korea’s IT worker operations are used to generate funds for prohibited weapons programs, often using cryptocurrency transactions.
  • Experts highlight the transnational and complex nature of these schemes, involving layered operations across multiple countries.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on a member of the North Korean Hacking group known as Andariel for organizing a remote information technology (IT) worker scheme. Song Kum Hyok, 38, was identified as a key participant, facilitating employment in U.S. companies by using stolen American identities and planning to share earnings with other North Korean workers.

- Advertisement -

According to the Treasury, between 2022 and 2023 Song used names, addresses, and Social Security numbers of U.S. citizens to create fake personas. These identities were used by North Korean IT workers to secure remote jobs in the United States. The U.S. Department of Justice recently announced related enforcement actions, which included one arrest, the seizure of 29 financial accounts, 21 fraudulent websites, and nearly 200 computers.

Further sanctions have been announced against a Russian national, Gayk Asatryan, and four Russia-based entities involved in contracting North Korean IT workers. These include Asatryan’s companies Asatryan LLC and Fortuna LLC, as well as North Korean firms Korea Songkwang Trading General Corporation and Korea Saenal Trading Corporation, which sent workers to Russia under contracts with Asatryan.

This action marks the first time a member of Andariel—a subgroup within the Lazarus Group, which is linked to North Korea’s military intelligence—has been directly connected to the IT worker scheme. Deputy Secretary of the Treasury Michael Faulkender stated, “The action underscores the importance of vigilance on the DPRK’s continued efforts to clandestinely fund its WMD and ballistic missile programs.”

The scheme, tracked by other names such as Nickel Tapestry and Wagemole, involves North Korean workers using forged identities to gain remote work and funneling their salaries to the regime through complex cryptocurrency transactions. This effort is part of a broader strategy by North Korea to sidestep international sanctions and fund its weapons programs.

Data from TRM Labs shows North Korean groups have stolen about $1.6 billion in cryptocurrency out of a total of $2.1 billion taken in 75 hacks during the first half of 2025. Experts like DTEX’s Michael Barnhart emphasized the international nature of these schemes, noting the use of operations across several countries and front companies.

In related Cybersecurity developments, the North Korea-linked group Kimsuky has been reported to use a Malware called HappyDoor in email attacks on South Korean organizations, according to AhnLab. This malware is distributed through spear-phishing and is designed to steal information, run commands, and install further malicious software.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest News

GMX Hacked for $42M, Circle Criticized for Slow USDC Freeze

GMX, a decentralized finance (DeFi) platform, suffered a $42 million hack linked to a...

Senators Target Crypto Bill Loopholes, Warn of President Abuse

Senators from both parties raised concerns about a proposed crypto market structure bill in...

GMX Exploited for $42M; Trading Halted as Investigation Ongoing

GMX, a decentralized crypto futures exchange, was hacked for $42 million. The attack targeted the...

Ripple Picks BNY Mellon to Custody RLUSD as Cap Hits $500 Million

Ripple has chosen Bank of New York Mellon (BNY Mellon) as the primary custodian...

Crypto Traders Mull Lawsuit After $242M Polymarket Suit Controversy

Crypto traders plan legal action against Polymarket over the resolution of a $242 million...

Must Read

How to Check The Rarity of An NFT

Whenever you invest in an NFT collection, you might have noticed that some NFTs are more expensive than others. NFT collections are often made...