- The U.S. Treasury sanctioned a North Korean national linked to a fraudulent remote IT worker scheme.
- Sanctions target individuals and companies from North Korea and Russia accused of helping North Koreans get jobs with U.S. companies under false identities.
- The action follows law enforcement seizures of financial accounts, websites, and computers connected to the scheme.
- North Korea’s IT worker operations are used to generate funds for prohibited weapons programs, often using cryptocurrency transactions.
- Experts highlight the transnational and complex nature of these schemes, involving layered operations across multiple countries.
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on a member of the North Korean Hacking group known as Andariel for organizing a remote information technology (IT) worker scheme. Song Kum Hyok, 38, was identified as a key participant, facilitating employment in U.S. companies by using stolen American identities and planning to share earnings with other North Korean workers.
According to the Treasury, between 2022 and 2023 Song used names, addresses, and Social Security numbers of U.S. citizens to create fake personas. These identities were used by North Korean IT workers to secure remote jobs in the United States. The U.S. Department of Justice recently announced related enforcement actions, which included one arrest, the seizure of 29 financial accounts, 21 fraudulent websites, and nearly 200 computers.
Further sanctions have been announced against a Russian national, Gayk Asatryan, and four Russia-based entities involved in contracting North Korean IT workers. These include Asatryan’s companies Asatryan LLC and Fortuna LLC, as well as North Korean firms Korea Songkwang Trading General Corporation and Korea Saenal Trading Corporation, which sent workers to Russia under contracts with Asatryan.
This action marks the first time a member of Andariel—a subgroup within the Lazarus Group, which is linked to North Korea’s military intelligence—has been directly connected to the IT worker scheme. Deputy Secretary of the Treasury Michael Faulkender stated, “The action underscores the importance of vigilance on the DPRK’s continued efforts to clandestinely fund its WMD and ballistic missile programs.”
The scheme, tracked by other names such as Nickel Tapestry and Wagemole, involves North Korean workers using forged identities to gain remote work and funneling their salaries to the regime through complex cryptocurrency transactions. This effort is part of a broader strategy by North Korea to sidestep international sanctions and fund its weapons programs.
Data from TRM Labs shows North Korean groups have stolen about $1.6 billion in cryptocurrency out of a total of $2.1 billion taken in 75 hacks during the first half of 2025. Experts like DTEX’s Michael Barnhart emphasized the international nature of these schemes, noting the use of operations across several countries and front companies.
In related Cybersecurity developments, the North Korea-linked group Kimsuky has been reported to use a Malware called HappyDoor in email attacks on South Korean organizations, according to AhnLab. This malware is distributed through spear-phishing and is designed to steal information, run commands, and install further malicious software.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- BRICS 2025 Summit Ignores New Currency, De-Dollarization Plans
- Detroit man admits sending cryptocurrency donations to ISIS
- Shiba Inu Investors Urged to Be Patient Amid Price Stagnation
- Two Men Indicted in $650M OmegaPro International Fraud Scheme
- AI-Spawned ‘MechaHitler’ Meme Coin Surges, Sparks Backlash
