US Treasury Sanctions North Korean, Russian Operatives for Funding Missile Programs Through IT Work
Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.
On July 8, the U.S. imposed sanctions on North Korean and Russian individuals and entities involved in IT worker schemes that help fund the Democratic People’s Republic of Korea’s (DPRK) nuclear and missile programs.
Malicious Code Planted by IT Workers for Future Use
In an official press release, the Treasury Department’s Office of Foreign Assets Control (OFAC) announced action against Song Kum Hyok, a cybercriminal with ties to the Andariel group.
Today, the Treasury's Office of Foreign Assets Control is taking action to stop individuals and entities that are enabling the Democratic People's Republic of Korea (DPRK) IT worker schemes.
The DPRK generates significant revenue for its WMD and ballistic missile programs by…
— Treasury Department (@USTreasury) July 8, 2025
He was accused of helping North Korean remote IT workers secure jobs at American companies.
Investigations further revealed that between 2022 and 2023, Song reportedly used stolen personal details, such as names, Social Security numbers, and home addresses, from American citizens to create false identities.
These fabricated profiles allowed North Korean workers to bypass company background checks undetected.
The Treasury further revealed that Song intended to distribute wages earned through these fraudulent jobs. The ultimate objective, however, was to covertly divert funds to the North Korean regime, bolstering its weapons development efforts.
OFAC’s sanctions extended beyond Song. The agency also blacklisted Gayk Asatryan, a Russian businessman operating in the Primorsky Krai region.
Two of his companies were involved in arranging large deployments of North Korean IT workers, totaling up to 80. Two North Korean firms signed these contracts: Korea Songkwang Trading General Corporation and Korea Saenal Trading Corporation.
In mid-2024, Asatryan’s company agreed to host 30 North Korean workers through one contract, and another deal covered 50 more. Both companies were tied directly to the DPRK regime.
The OFAC report revealed that the IT workers operated mainly out of China and Russia.
While they appeared to be regular remote employees, some quietly installed malware into company systems. The malware wasn’t always used right away. It was planted for later use and is ready to be activated in future attacks.
As punishment, the Treasury placed Song, Asatryan, and the four associated companies on its Specially Designated Nationals list. That means all their U.S. assets are now frozen. American businesses and individuals are banned from working with them.
Over 10,000 IT Workers Feared to be Active
According to the 2024 report from the former U.N. Panel of Experts on DPRK sanctions, roughly 10,000 North Korean remote IT workers may be operating around the world.
They hide in plain sight, applying for freelance or full-time tech jobs at companies across the U.S., Europe, and Asia.
At first, the goal was simple: earn income. But something changed.
The same workers who once built software or managed servers now participate in larger cyber campaigns. They are linked to ransomware attacks, phishing, and crypto heists.
A recent report uncovered a new tactic. Hackers posing as investors or clients join fake Zoom calls with cryptocurrency founders.
Once trust is built, they convince victims to download malware software that silently hijacks their devices. Sensitive files are stolen, access is granted, and damage begins.
Having audio issues on your Zoom call? That's not a VC, it's North Korean hackers.
Fortunately, this founder realized what was going on.
The call starts with a few "VCs" on the call. They send messages in the chat saying they can't hear your audio, or suggesting there's an… pic.twitter.com/ZnW8Mtof4F
— Nick Bax.eth (@bax1337) March 11, 2025
This shift from remote work to covert cyber warfare has caught the attention of U.S. agencies.
On May 1, the Treasury’s Financial Crimes Enforcement Network (FinCEN) took action against the Huione Group, a Cambodian conglomerate. The group was cut off from the American financial system after investigators traced over $4 billion in suspicious funds through its accounts.
At least $37 million of that amount was linked to cyberattacks by North Korea’s infamous hacking unit, Lazarus Group.
Another $36 million came from crypto scams known as “pig butchering,” where victims are lured into fake investment schemes.
At press time, it is not just about blocking hackers anymore, but more about cutting off the systems that make these networks possible.
