The US Treasury sanctioned two individuals and four companies on July 9 for operating a North Korea-backed remote work infiltration scheme. The Treasury’s Office of Foreign Assets Control (OFAC) identified them as part of a broader operation using North Korean IT workers to steal data from blockchain companies and generate funds for the country’s missile funding program.
North Korean IT Worker Sanctions. Source: Treasury Department / X (@USTreasury)
Song Kum Hyok, a DPRK national, allegedly stole identities of US citizens and gave them to hired IT operatives. These operatives used the information to apply for jobs at crypto-related firms, pretending to be American workers.
OFAC also named Gayk Asatryan, a Russian citizen, for his role in employing dozens of North Korean IT workers. According to the Treasury, Asatryan signed contracts in 2024 with North Korean trading firms to provide long-term job placements. Four of his Russian companies are now under sanction.
All US assets linked to the named individuals and entities are frozen. US persons are banned from doing business with them under threat of civil and criminal penalties.
Crypto Theft Tactics Shift From Hacking to Infiltration
A new TRM Labs report said DPRK cybercrime is shifting away from direct hacking and toward job-based infiltration. The report noted that North Korean IT workers are now posing as legitimate candidates to secure remote work, mainly at blockchain companies.
“While exchange breaches remain significant, DPRK-linked operations are increasingly shifting toward deception-based revenue generation, including IT worker infiltration,”
TRM Labs stated on July 9.
This strategy lets North Korean IT workers operate inside companies without alerting security teams. Once inside, they collect sensitive data or access company resources.
According to TRM Labs, DPRK cybercrime operations were responsible for $1.6 billion out of $2.1 billion stolen in 75 crypto hacks during the first half of 2025.
Thousands of North Korean IT Workers Planted Worldwide
The Treasury said North Korea has deployed thousands of skilled tech workers across the globe to support its missile funding goals. Most of these workers are based in Russia and China, targeting firms in wealthier countries.
They use public and niche job sites to get hired by crypto firms as remote developers. The job contracts are long-term, and the workers often stay undetected for extended periods.
A Google report from April 2025 confirmed that North Korea’s job-fraud infrastructure now spans multiple continents. The operations aim to move money back to the DPRK.
Deputy Secretary Michael Faulkender said,
“Treasury remains committed to using all available tools to disrupt the Kim regime’s efforts to circumvent sanctions.”
Previous Arrests and Seizures Tied to Crypto Theft
On June 30, the US charged four North Korean nationals with wire fraud and money laundering . They allegedly posed as remote developers at crypto firms based in the US and Serbia .
Earlier, on June 5, the Department of Justice moved to seize $7.74 million in cryptocurrency. The funds came from fake developer jobs held by North Korean IT workers using stolen identities.
These actions are part of the US government’s larger effort to stop the use of remote work infiltration for crypto theft and missile funding.
Crypto Sector Still a Prime Target
OFAC warned that blockchain companies remain high-risk targets for DPRK cybercrime. Many firms use remote hiring processes, which make them vulnerable to identity fraud.
The Treasury stressed that remote hiring must include proper verification. Without it, North Korean IT workers could continue to gain access to US systems and financial platforms.
