US sanctions network aiding North Korean IT workers in targeting crypto companies

Continuing its crackdown on North Korea’s efforts to infiltrate U.S. companies, the Treasury Department has sanctioned two individuals and four entities for aiding malicious IT workers in infiltrating crypto firms.

A North Korean national, Song Kum Hyok, and a Russian national, Gayk Asatryan, have been sanctioned by the Treasury’s Office of Foreign Assets Control for their roles in supporting North Korean IT worker operations targeting the crypto sector.

According to OFAC, Song Kum Hyok has ties to North Korea’s Reconnaissance General Bureau (RGB) and its subordinate hacking unit Andariel. He has been accused of creating fake identities using stolen U.S. citizen information to help foreign-based DPRK IT workers secure remote jobs, primarily in crypto-related firms.

These workers would then split earnings with Song, generating revenue for North Korea’s sanctioned weapons programs.

Meanwhile, Asatryan is accused of using his Russia-based firms, Asatryan LLC and Fortuna LLC, to employ dozens of DPRK IT workers under contracts with North Korean state trading companies. 

These entities, namely, Korea Songkwang Trading Corporation and Korea Saenal Trading Corporation, have also been sanctioned for their role in dispatching workers abroad to fund the regime.

OFAC said these actions were a part of a strategic initiative to thwart North Korea’s efforts to deploy thousands of skilled IT workers, mainly based in China and Russia, who use falsified documents and fake profiles to gain employment in crypto and tech firms.

Once embedded, these malicious actors allegedly use freelance platforms and crypto exchanges to receive and launder funds back to the regime. 

“These workers are instructed to deliberately obfuscate their identities, locations, and nationalities, typically using false personas, proxy accounts, stolen identities, and falsified or forged documentation,” the Treasury said, adding that they often exploit freelance platforms and crypto exchanges to launder earnings back to North Korea.

Investigators have warned that North Korea’s cyber infiltration strategy has evolved significantly in recent years. While early efforts focused on direct hacks by groups like Lazarus, the regime now increasingly relies on deception-based methods to quietly embed operatives in legitimate firms.

Crypto investigator ZachXBT estimates that as many as 920 North Korean IT workers may have infiltrated roles in the digital asset sector, generating over $16 million in payroll from unsuspecting employers.

Recognising the scale of the threat, U.S. authorities are now striking at the infrastructure sustaining North Korea’s IT infiltration schemes. The Department of Justice has led recent efforts, bringing criminal charges against DPRK-linked operatives, pursuing asset forfeiture cases targeting millions in laundered crypto.