- U.S. sanctions Song Kum Hyok for placing DPRK IT workers in foreign firms using stolen identities.
- Sanctioned workers funneled income to fund North Korea’s missile and nuclear weapons programs.
- The scheme involved crypto laundering tied to the Lazarus Group and state-sponsored cyber units.
The U.S. Treasury Department has sanctioned North Korean national Song Kum Hyok for orchestrating a global employment scheme that used stolen U.S. identities to place DPRK IT workers inside foreign companies. According to the Treasury, these workers, often operating remotely from countries like China and Russia, were hired under pretenses, allowing them to earn income and, in some cases, access sensitive corporate systems.
The revenue generated from these jobs was secretly funneled back to the DPRK government, helping to support its sanctioned weapons and ballistic missile programs. In response, Deputy Secretary of the Treasury Michael Faulkender stressed the importance of ongoing awareness, stating, “Today’s action underscores the importance of vigilance on the DPRK’s continued efforts to clandestinely fund its WMD and ballistic missile programs.”
He added, “Treasury remains committed to using all available tools to disrupt the Kim regime’s efforts to circumvent sanctions through its digital asset theft, attempted impersonation of Americans, and malicious cyber-attacks.”
Behind the Keyboard: A Global Cyber Operation
The sanctioned individual, Song Kum Hyok, isn’t a hacker in the traditional sense. Instead, his role appears to be that of an orchestrator, managing teams of IT professionals trained by the DPRK and embedded into global companies using stolen or forged identities. These workers often posed as citizens of countries such as the United States, hiding behind legitimate credentials and profiles to pass as remote tech freelancers.
Once inside, they would complete paid work for businesses that had no idea they were hiring operatives linked to a foreign intelligence unit. In some cases, these jobs involved software development or digital tools related to cryptocurrency. In others, they reportedly opened the door for deeper cyber access, including malware introduction and data exfiltration.
Song also allegedly used the personal information of U.S. citizens, including Social Security numbers and addresses, to create false employment records for the IT workers. The workers used these records to open job accounts, gain access to payment platforms, and build fake resumes. These operations allowed Song and his network to direct a steady flow of money back to North Korea.
Connections to Lazarus Group and Crypto Heists
The cyber scheme isn’t happening in isolation. According to OFAC, Song is connected to Andariel, a subgroup of North Korea’s powerful cyber unit, the Reconnaissance General Bureau (RGB). The RGB has previously been sanctioned by both the U.S. and the United Nations for supporting the Kim regime’s weapons development.
Andariel, along with the more widely known Lazarus Group and another unit, Bluenoroff, forms the backbone of North Korea’s state-sponsored cyber forces. These groups have been tied to high-profile cyberattacks, including cryptocurrency thefts amounting to hundreds of millions of dollars.
In these operations, hackers steal digital assets and then use crypto exchanges and mixers to launder the funds, eventually moving them into accounts controlled by DPRK actors. These cyber operations provide critical revenue at a time when sanctions have limited North Korea’s ability to trade and generate foreign income through conventional means.
Russian Firms Caught in the Web
In a related move, the Treasury also imposed sanctions on a Russia-based network supporting North Korean IT labor. Russian businessman Gayk Asatryan and four entities were sanctioned for entering into agreements with North Korean trading companies to host and employ DPRK tech workers.
Two of Asatryan’s companies, Asatryan LLC and Fortuna LLC, signed contracts with Korea Songkwang Trading General Corporation and Korea Saenal Trading Corporation in 2024 to bring dozens of North Korean IT workers to Russia. These agreements formalized long-term work arrangements that violated sanctions prohibiting DPRK labor exports.
Both Russian companies, along with their North Korean partners, are now blocked. OFAC stated that these firms were used to facilitate employment, payments, and accommodation for workers who ultimately served the interests of the North Korean government.
Related: North Korean Hackers Deploy ‘NimDoor’ Malware to Target Crypto Firms
What the Sanctions Mean
As a result of the designations, all property and assets of the sanctioned individuals and entities within the U.S., or controlled by U.S. persons, are now frozen. U.S. companies and individuals are banned from doing business with those listed, unless explicitly authorized.
Moreover, entities that are 50% or more owned by sanctioned persons are also subject to these restrictions. As a result, financial institutions are required to report any related property or transaction to OFAC.
