US Sanctions North Korean IT Worker Network Over Crypto Infiltration and Fraud
The United States Treasury Department has imposed sanctions on two individuals and four entities for operating a North Korea-led scheme that infiltrated U.S. crypto companies using deceptive IT workers. The action highlights a growing shift in North Korea’s tactics — moving from high-profile hacks to deception-based operations that exploit legitimate employment channels.
Sanctions Target North Korean and Russian Operatives
On Tuesday, the Office of Foreign Assets Control (OFAC) announced sanctions against Song Kum Hyok, a North Korean national accused of stealing U.S. citizens’ personal data and distributing it to foreign IT workers who used the identities to secure jobs in American companies.
Today, the Treasury’s Office of Foreign Assets Control is taking action to stop individuals and entities that are enabling the Democratic People’s Republic of Korea (DPRK) IT worker schemes.
The DPRK generates significant revenue for its WMD and ballistic missile programs by…
— Treasury Department (@USTreasury) July 8, 2025
Also sanctioned was Gayk Asatryan, a Russian national who allegedly employed dozens of North Korean tech workers through his companies under long-term agreements signed with North Korean trading firms beginning in 2024.
The U.S. government froze all assets associated with the named individuals and entities. Americans are now prohibited from conducting any business with the sanctioned parties under threat of civil and criminal penalties.
Treasury: Scheme Funded Ballistic Missile Program
The Treasury said that thousands of North Korean IT workers have been strategically deployed worldwide, particularly in China and Russia, with the goal of generating revenue for the DPRK’s ballistic missile program. These workers often masquerade as remote employees from other countries, targeting companies in wealthier nations — especially in the crypto and blockchain sectors.
“Treasury remains committed to using all available tools to disrupt the Kim regime’s efforts to circumvent sanctions,” said Deputy Secretary Michael Faulkender, pointing to North Korea’s tactics of identity theft, impersonation, and cyber-attacks.
Shift from Hacking to Infiltration
According to blockchain analytics firm TRM Labs, North Korean operations are pivoting away from direct exchange hacks toward deception-based methods, including remote employment schemes and IT worker infiltration.
While North Korea has been linked to some of the largest crypto heists — including the $1.5 billion Bybit hack in February — TRM Labs reports that infiltration tactics are becoming more dominant. The firm estimates that DPRK-aligned actors were responsible for $1.6 billion of the $2.1 billion stolen in 75 crypto hacks during the first half of 2025.
Broader Crackdown on Fraudulent Tech Workers
The sanctions come amid a broader U.S. crackdown on North Korean-linked IT workers:
-
June 30: Four North Koreans were charged with wire fraud and money laundering, after posing as blockchain developers at U.S. and Serbian companies.
-
June 5: The Department of Justice announced efforts to seize $7.74 million in frozen crypto tied to North Korean remote contractors using false identities.
The U.S. government, in coordination with blockchain intelligence firms, appears to be intensifying its scrutiny of covert North Korean operations that exploit the borderless nature of remote tech work — particularly in the crypto sector.
Global Threat Landscape
An April report from Google also highlighted the global infrastructure that supports North Korea’s fraudulent IT schemes, noting that the scale and reach of these operations continue to grow.
As traditional hacking becomes more detectable, North Korea’s evolution toward employment-based fraud presents a fresh challenge for both cybersecurity experts and regulators — especially as crypto and Web3 firms remain prime targets.
