U.S. Sanctions DPRK-Backed Crypto Fraud Ring

Key Takeaways

• Two individuals and four entities have been sanctioned for running a North Korea-backed IT worker infiltration ring.
• North Korean operatives used stolen U.S. identities to apply for remote crypto jobs.
• Sanctioned Russian companies allegedly signed long-term deals with DPRK firms.
• These covert IT operations are intended to fund North Korea’s missile and nuclear programs.
• The U.S. has launched a series of legal and financial crackdowns in 2025 to disrupt these schemes.

Sanctioned Individuals & Entities

Key Players Named

On Tuesday, the Treasury’s Office of Foreign Assets Control (OFAC) officially sanctioned Song Kum Hyok, a North Korean national accused of stealing the identities of U.S. citizens to help North Korean IT workers pose as legitimate job applicants. These foreign operatives then gained employment at U.S.-based tech and blockchain firms under false pretenses.

Source: X (@USTreasury)

Alongside Song, Gayk Asatryan, a Russian national, was also sanctioned. OFAC alleges Asatryan signed long-term contracts with North Korean trading companies and knowingly hired dozens of DPRK IT workers through his Russia-based firms starting in early 2024.

Companies Involved

Four Russian entities associated with Asatryan were also blacklisted, cutting off any U.S.-based business or financial interactions with them. Under the sanctions, all U.S. assets linked to these individuals and entities are frozen, and Americans are prohibited from conducting transactions with them, facing civil or criminal penalties if they do.

North Korea’s Expanding IT Workforce Strategy

Infiltration Over Hacking

While North Korea has long been linked to large-scale crypto heists, including the infamous $1.5 billion Bybit exploit earlier this year, experts say the regime is now pivoting toward more subtle infiltration techniques.

According to a recent report by TRM Labs:

“While exchange breaches remain significant, DPRK-linked operations are increasingly shifting toward deception-based revenue generation, including IT worker infiltration.”

Source: X (@trmlabs)

How The Scheme Works

North Korean operatives typically pose as remote developers or project managers. Using stolen or falsified identities, they apply for positions at crypto firms, particularly those located in wealthier nations such as the U.S., Canada, and parts of Europe.

These workers often operate under the radar using common platforms like LinkedIn, GitHub, and even industry-specific networking tools. The IT professionals are highly skilled and deliver value to their employers before siphoning off sensitive data or financial resources.

Scale Of The Threat

Funding Missile Development

According to OFAC, North Korea’s ultimate goal is to fund its ballistic missile and nuclear weapons programs. The regime deploys thousands of IT workers, with a large concentration operating out of Russia and China.

In the first half of 2025 alone, North Korean-linked cybercriminals were responsible for $1.6 billion out of $2.1 billion stolen in crypto-related breaches, according to TRM Labs.

Recent Legal Actions

U.S. authorities have significantly ramped up enforcement efforts against North Korean cyber operations:

• June 30th, 2025 – Four North Korean nationals were indicted on wire fraud and money laundering charges after pretending to be remote contractors for U.S. and Serbian blockchain companies.

• June 5th, 2025 – The U.S. Department of Justice announced it was seeking to seize $7.74 million in frozen cryptocurrency allegedly obtained by DPRK IT workers. 

These developments underscore Washington’s growing focus on dismantling North Korea’s shadow cyber economy.

Treasury Department’s Message

Deputy Treasury Secretary Michael Faulkender emphasized the government’s commitment to defending U.S. interests:

“Treasury remains committed to using all available tools to disrupt the Kim regime’s efforts to circumvent sanctions through its digital asset theft, attempted impersonation of Americans, and malicious cyber-attacks.”

FAQ

Why is the U.S. sanctioning individuals related to IT work?

The individuals are part of a larger scheme designed to fund North Korea’s weapons programs by infiltrating crypto firms and stealing digital assets under false identities.

How do North Korean workers infiltrate companies?

They use stolen or fake identities, often of U.S. citizens, to apply for remote jobs. Once hired, they gather intelligence, exfiltrate data, or redirect funds.

Are crypto companies the only targets?

While crypto firms are the primary focus, DPRK IT workers have also been hired in other tech sectors, especially in blockchain, software development, and AI research.

What happens if a U.S. business works with a sanctioned entity?

They face severe civil and criminal penalties, including asset seizures and prosecution. Businesses are urged to conduct thorough background checks and implement cybersecurity measures.