US Sanctions Key Threat Actors Tied to North Korea’s Remote IT Worker Scheme

The Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury has taken a strong stance against cyber-enabled financial schemes that support North Korea’s illicit weapons programs by imposing sanctions on Song Kum Hyok, a malevolent cyber actor connected to the hacking group Andariel of the Democratic People’s Republic of Korea (DPRK).

Announced on July 10, 2025, this action also targets one individual, Gayk Asatryan, and four entities involved in a Russia-based IT worker network generating revenue for the DPRK regime.

These sanctions underscore the U.S. government’s ongoing efforts to disrupt the Kim regime’s clandestine funding mechanisms for its weapons of mass destruction (WMD) and ballistic missile programs through cyber espionage and deceptive employment practices.

Treasury Targets DPRK Cyber Actor

Song Kum Hyok, operating from DPRK, orchestrated a sophisticated IT worker scheme where foreign nationals, often DPRK citizens based in countries like China and Russia, were provided falsified identities to secure remote employment with unsuspecting U.S. companies.

Between 2022 and 2023, Song exploited stolen personal information such as names, Social Security numbers, and addresses of U.S. individuals to create aliases for these workers, enabling them to pose as American job seekers.

This not only facilitated revenue generation for the DPRK but also posed significant risks to targeted companies, as some DPRK IT workers have been known to embed malware into corporate networks for further exploitation.

OFAC designated Song under Executive Order 13694, as amended, for engaging in cyber-enabled misappropriation of personal and financial information, posing a direct threat to U.S. national security and economic stability.

Parallel to Song’s designation, OFAC sanctioned Russian national Gayk Asatryan and his associated companies, Asatryan Limited Liability Company (Asatryan LLC) and Fortuna Limited Liability Company (Fortuna LLC), alongside DPRK entities Korea Songkwang Trading General Corporation and Korea Saenal Trading Corporation.

Asatryan facilitated the deployment of up to 80 DPRK IT workers to Russia under contracts signed in mid-2024, directly contributing to revenue streams for the DPRK government.

Investigations reveal that these workers, part of a global network of thousands of highly skilled DPRK IT professionals, often target wealthier nations’ technology and virtual currency sectors, using falsified identities and proxy accounts to secure freelance contracts.

The funds, frequently managed via virtual currency exchanges, are laundered and remitted to North Korea, bolstering its prohibited weapons programs.

Broader Implications

The DPRK’s IT worker schemes represent a critical component of its strategy to circumvent U.S. and multilateral sanctions, as highlighted by Deputy Secretary of the Treasury Michael Faulkender.

These actions build on previous designations, including the RGB in 2016 by the United Nations Security Council and cyber groups like Lazarus Group and Andariel in 2019 by OFAC, reflecting a sustained commitment to disrupt North Korea’s cyber-financial networks.

The sanctions block all property of the designated individuals and entities in the U.S. or under U.S. control, prohibiting transactions unless authorized by OFAC.

Violations risk severe civil or criminal penalties, emphasizing the Treasury’s resolve to enforce economic sanctions and encourage behavioral change among threat actors.

This latest step reaffirms the U.S. stance against DPRK’s cyber-enabled revenue generation, safeguarding global financial systems from exploitation.

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.