The US Treasury has sanctioned two people and four entities involved in what it says was a North Korea-run IT worker ring that would infiltrate crypto companies, aiming to exploit them.
The Treasury’s Office of Foreign Assets Control (OFAC) said on Tuesday that it sanctioned the North Korea-based Song Kum Hyok for allegedly stealing US citizens’ information to use as aliases and giving it to hired foreign IT workers who would seek employment at US companies.
OFAC also sanctioned the Russian national Gayk Asatryan for allegedly using his companies to employ dozens of North Korean IT workers under long-term agreements he signed with North Korean trading firms starting in 2024.
A growing number of fraudulent tech workers with ties to North Korea, officially the Democratic People’s Republic of Korea (DPRK), have been expanding their infiltration operations, with an April report from Google finding that the infrastructure for the schemes has spread worldwide.
“Treasury remains committed to using all available tools to disrupt the Kim regime’s efforts to circumvent sanctions through its digital asset theft, attempted impersonation of Americans, and malicious cyber-attacks,” said Treasury Deputy Secretary Michael Faulkender.
Thousands of IT workers target wealthier countries to fund missile program
OFAC said North Korea aims to generate revenue for its ballistic missile programs by deploying a thousands-strong workforce of highly skilled IT workers all over the world, the bulk of which are located in China and Russia.
The workforce mainly targets employers located in wealthier countries and uses various mainstream and industry-specific networking platforms, OFAC said.
The sanctions mean all US assets connected to Asatryan, Song, and the four Russian entities also named are frozen. It’s also now illegal for people in the US to conduct any financial transactions or have business dealings with them under the threat of civil and criminal penalties.
North Korea shifting away from hacks
North Korea has been notorious for its high-profile hacks through teams such as the Lazarus Group, and is responsible for some of the largest crypto hacks ever recorded, such as the $1.5 billion Bybit exploit in February.
However, blockchain intelligence firm TRM Labs said on Tuesday that they are starting to shift tactics.
“While exchange breaches remain significant, DPRK-linked operations are increasingly shifting toward deception-based revenue generation, including IT worker infiltration,” the firm said.
TRM Labs estimates North Korea-aligned bad actors are responsible for $1.6 billion of the $2.1 billion stolen across 75 crypto hacks and exploits in the first half of 2025.
US cracks down on North Korean IT workers
US authorities have been increasingly cracking down on fraudulent North Korean IT worker schemes this year.
Related: North Korea targets crypto workers with new info-stealing malware
On June 30, four North Korean nationals were charged with wire fraud and money laundering after posing as remote workers at US and Serbian blockchain companies.
Meanwhile, on June 5, the US Department of Justice said it was trying to seize $7.74 million in frozen crypto allegedly earned by North Korean IT workers using fake identities and working at blockchain firms as remote contractors.
Magazine: North Korea crypto hackers tap ChatGPT, Malaysia road money siphoned: Asia Express