Treasury sanctions North Korean over IT worker malware scheme

The U.S. Department of the Treasury sanctioned cyber actor Song Kum Hyok for his association with North Korea’s hacking group Andariel and for facilitating IT worker schemes that generated revenue for the Pyongyang regime.

Considered a sub-cluster of the Lazarus group linked to North Korea’s Reconnaissance General Bureau, the Andariel state actor is focused mostly on financially-motivated operations like ransomware (Maui, Play) and cryptocurrency heists.

Song Kum Hyok has been identified as a member of the Andariel hacking group (also known as APT45 and Silent Cholima) and has been providing fake or stolen U.S. identities to foreign IT workers seeking remote jobs at U.S. companies.

The workers split the income with Song, who sent the funds to North Korea as part of the country’s effort to finance its WMD (weapons of mass destruction) and ballistic missile programs.

Some of the workers also helped Andariel hackers’ cyberattacks by stealing data, and deploying malware on the systems of the companies hiring them.

“Song facilitated an information technology (IT) worker scheme in which individuals, often DPRK nationals working from countries such as China and Russia, were recruited and provided with falsified identities and nationalities to obtain employment at unwitting companies to generate revenue for the DPRK regime,” reads the U.S. Treasury announcement.

“In some cases, these DPRK IT workers have been known to introduce malware into company networks for additional exploitation.”

Between 2022 and 2023, Song Kum Hyok used stolen U.S. citizens’ information (names, social security numbers, addresses) to create for his collaborators aliases that would get them hired by U.S. companies.

Related to these activities, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) lists another five parties:

• Gayk Asatryan – Russian national who employed DPRK IT workers through his companies
• Asatryan LLC – Russian company owned or controlled by Gayk Asatryan
• Fortuna LLC – Russian company owned or controlled by Gayk Asatryan
• Korea Songkwang Trading General Corporation (Songkwang Trading) – North Korean company involved in dispatching IT workers to Russia
• Korea Saenal Trading Corporation (Saenal Trading) – North Korean company involved in the same activity

U.S. Treasury sanctions include a freeze on all assets under U.S. jurisdiction, a transaction ban for U.S. individuals and companies, and cuts off access to U.S.-based payment processing platforms.

Furthermore, non-U.S. entities like foreign banks and platforms that continue to do business with the sanctioned entities risk being sanctioned themselves.

This action comes shortly after the U.S. Department of Justice announced sweeping action against North Korean IT worker schemes in the country.

On July 1, 2025, the U.S. authorities performed searches at 29 “laptop farms” announcing one arrest, 12 indictments, and the seizure of 29 financial accounts, 21 websites, and 200 computers.