Ethical Hacking News
In a significant move, the US Department of the Treasury's Office of Foreign Assets Control has sanctioned North Korean IT worker Song Kum Hyok for his role in perpetrating the infamous remote information technology (IT) worker scheme. The sanctions come on the heels of sweeping actions taken by the US Department of Justice against the North Korean IT worker scheme, which has led to the arrest of one individual and the seizure of 29 financial accounts, 21 fraudulent websites, and nearly 200 computers. To find out more about this growing threat, read our in-depth report on the North Korean IT worker scheme.
The US Department of Treasury's Office of Foreign Assets Control (OFAC) has sanctioned Song Kum Hyok, a North Korean national, for his role in perpetrating the infamous remote IT worker scheme.Song Kum Hyok enabled the fraudulent operation by using foreign-hired IT workers to seek remote employment with US companies and planning to split income with them.The sanctions mark the first time a threat actor linked to Andariel has been tied to the IT worker scheme, which has become a crucial illicit revenue stream for the sanctions-hit nation.The action underscores the importance of vigilance on the DPRK's continued efforts to clandestinely fund its WMD and ballistic missile programs.North Korea is behind approximately $1.6 billion out of the total $2.1 billion stolen as a result of 75 cryptocurrency hacks and exploits in the first half of 2025 alone.International collaboration and open communication are essential in effectively countering this complex, transnational issue.The sanctions also target other entities linked to the Andariel group, including Gayk Asatryan's Russia-based companies and Korean trading corporations.
The United States Department of the Treasury's Office of Foreign Assets Control (OFAC) has recently sanctioned a member of the notorious North Korean hacking group, Andariel, for their role in perpetrating the infamous remote information technology (IT) worker scheme. This development comes on the heels of sweeping actions taken by the U.S. Department of Justice (DoJ) against the North Korean IT worker scheme, which has led to the arrest of one individual and the seizure of 29 financial accounts, 21 fraudulent websites, and nearly 200 computers.
The IT worker scheme, also tracked as Nickel Tapestry, Wagemole, and UNC5267, involves North Korean actors using a mix of stolen and fictitious identities to gain employment with U.S. companies as remote IT workers with the goal of drawing a regular salary that's then funneled back to the regime through intricate cryptocurrency transactions. This complex operation has been attributed to the Andariel group, which is assessed to be affiliated with the Democratic People's Republic of Korea (DPRK) Reconnaissance General Bureau (RGB).
According to sources close to the matter, Song Kum Hyok, a 38-year-old North Korean national with an address in the Chinese province of Jilin, enabled the fraudulent operation by using foreign-hired IT workers to seek remote employment with U.S. companies and planning to split income with them. The Treasury said that between 2022 and 2023, Song is alleged to have used the identities of U.S. people, including their names, addresses, and Social Security numbers, to craft aliases for the hired workers, who then used these personas to pose as U.S. nationals looking for remote jobs in the country.
This brazen scheme has been a major source of concern for U.S. authorities, which have taken steps to disrupt the operation. The sanctions levied against Song Kum Hyok mark the first time a threat actor linked to Andariel has been tied to the IT worker scheme, which has become a crucial illicit revenue stream for the sanctions-hit nation.
The action "underscores the importance of vigilance on the DPRK's continued efforts to clandestinely fund its WMD and ballistic missile programs," said Deputy Secretary of the Treasury Michael Faulkender. "Treasury remains committed to using all available tools to disrupt the Kim [Jong Un] regime's efforts to circumvent sanctions through its digital asset theft, attempted impersonation of Americans, and malicious cyber attacks"
The IT worker scheme is just one of many methods employed by Pyongyang to generate revenue for the country. Data compiled by TRM Labs shows that North Korea is behind approximately $1.6 billion out of the total $2.1 billion stolen as a result of 75 cryptocurrency hacks and exploits in the first half of 2025 alone -- mainly driven by the blockbuster heist of Bybit earlier this year.
A majority of steps taken to counter the threat has ostensibly come from U.S. authorities, but Michael "Barni" Barnhart, Principal i3 Insider Risk Investigator at DTEX, told The Hacker News that other countries are also stepping up and taking similar actions and driving awareness to a broader audience.
"This is a complex, transnational issue with many moving parts, so international collaboration and open communication are extremely useful," Barnhart said. "For an example of some of the complexities with this issue, a North Korean IT worker may be physically located in China, employed by a front company posing as a Singapore-based firm, contracted to a European vendor delivering services to clients in the United States. That level of operational layering highlights just how important joint investigations and intelligence sharing are in effectively countering this activity."
The good news is that awareness has grown significantly in recent years, and we're now seeing the fruits of that labor. These initial awareness steps are part of a broader global shift toward recognizing and actively disrupting these threats.
In addition to the sanctions against Song Kum Hyok, Gayk Asatryan, who used his Russia-based companies Asatryan LLC and Fortuna LLC to employ North Korean IT workers, Korea Songkwang Trading General Corporation, which signed a deal with Asatryan to dispatch up to 30 IT workers to work in Russia for Asatryan LLC, and Korea Saenal Trading Corporation, which signed a deal with Asatryan to dispatch up to 50 IT workers to work in Russia for Fortuna LLC, have also been hit with sanctions.
The action against these entities underscores the increasing global cooperation in tackling the North Korean threat. The sanctions mark a significant escalation in the fight against the Andariel group and its operations, which are believed to be linked to the Lazarus Group, a well-known hacking group associated with Pyongyang.
Related Information:
https://www.ethicalhackingnews.com/articles/The-North-Korean-IT-Worker-Scheme-A-Growing-Threat-to-Global-Cybersecurity-ehn.shtml
https://thehackernews.com/2025/07/us-sanctions-north-korean-andariel.html
Published: Wed Jul 9 08:03:56 2025 by llama3.2 3B Q4_K_M
