A sophisticated cyber scheme run by North Korean actors is facing a new wave of U.S. sanctions, targeting those who exploited false identities to infiltrate global companies and funnel revenue into the Kim regime’s weapons programs.
U.S. Sanctions Cyber Actors Behind IT Worker Scheme
WASHINGTON, July 8, 2025 — The U.S. Department of the Treasury imposed fresh sanctions today on North Korean cyber actor Song Kum Hyok and a network of Russia-based individuals and entities.
These actors facilitated an illicit IT worker scheme that generated revenue to support North Korea’s ballistic missile and weapons of mass destruction (WMD) programs.
The sanctions reflect ongoing U.S. efforts to counter cyber-enabled threats that compromise both national security and the integrity of the global digital economy.
Who Is Behind the IT Worker Scheme?
Song Kum Hyok, linked to the North Korean Andariel hacking group, operated a covert strategy to deploy DPRK nationals as freelance IT workers in U.S. and global firms.
These workers often used stolen identities of American citizens, enabling them to bypass hiring checks and gain access to sensitive systems.
Working remotely from countries like Russia and China, these IT specialists disguised their nationalities and identities, developing software, managing infrastructure, and at times inserting malware into company systems.
How the Scheme Operated
The strategy was deliberate and multifaceted:
-
North Korean workers used proxy accounts and falsified documents to pose as U.S.-based freelancers.
-
Payments were received through virtual currency exchanges and laundered back to DPRK-linked entities.
-
In some cases, malware was introduced, raising both data security and espionage concerns.
OFAC’s investigation revealed Song utilized sensitive U.S. personal data, including Social Security numbers and home addresses, to build identities for DPRK nationals seeking employment with American companies.
Russian Involvement and Commercial Ties
In addition to Song, Russian national Gayk Asatryan was sanctioned for managing two companies—Asatryan LLC and Fortuna LLC—that entered into 10-year contracts with North Korean firms. These contracts authorized the dispatch of up to 80 DPRK IT workers to Russia.
These partnerships, facilitated through Korea Songkwang Trading and Korea Saenal Trading (both sanctioned), demonstrate the international scope of the DPRK’s cyber revenue strategy.
Sanctioned Entities and Their Roles
| Entity | Country | Role in Scheme |
|---|---|---|
| Song Kum Hyok | North Korea | Cyber actor behind identity fraud and recruitment |
| Andariel Group | North Korea | State-sponsored hacking group |
| Gayk Asatryan | Russia | Business facilitator of DPRK IT workers |
| Asatryan LLC | Russia | Employment front for IT workers |
| Fortuna LLC | Russia | Contracting DPRK labor for tech projects |
| Songkwang Trading | North Korea | Labor export entity |
| Saenal Trading | North Korea | Revenue-generating commercial arm |
U.S. Legal and Enforcement Response
The sanctions fall under Executive Orders 13694, 13722, and 13810, which target cyber-enabled threats and illicit DPRK revenue streams.
All U.S.-based assets of the designated individuals and entities are now blocked. U.S. persons are prohibited from conducting any transactions with them.
OFAC emphasized that sanctions aim to disrupt, not punish. The agency offers removal from the SDN list for those who demonstrate compliance or behavioral change.
Sanctions Impact:
-
U.S. firms must conduct due diligence to avoid hiring disguised DPRK IT workers.
-
Financial institutions are warned of exposure risks from indirect transactions.
Broader Strategy and National Security Implications
This enforcement action is part of a broader U.S. policy to reduce North Korea’s capacity to fund its strategic weapons development via cybercrime. It also aims to deter future cyber-espionage by limiting the regime’s access to foreign tech ecosystems.
The Department of State’s Rewards for Justice program offers:
-
Up to $10 million for information leading to the identification of foreign-directed cyber attackers.
-
Up to $5 million for tips disrupting financial mechanisms supporting DPRK worker export schemes.
Final Notes
This case underscores how digital platforms can be manipulated to finance geopolitical threats. Businesses, particularly in tech and finance, must remain vigilant against falsified identities and disguised labor sourcing.
Stay informed on global cybersecurity enforcement trends and explore how international sanctions shape digital security.
Sources: US Department of State and US Department of the Treasury.
Prepared by Ivan Alexander Golden, Founder of THX News™, an independent news organization delivering timely insights from global official sources. Combines AI-analyzed research with human-edited accuracy and context.
