North Korea's Cyber Operation Steals $1.6 Billion From Crypto Firms

The United States has imposed new sanctions on a North Korea-backed cyber operation that has been using remote job applications to funnel stolen cryptocurrency funds into Kim Jong Un’s nuclear weapons program. This latest development indicates a shift in North Korean cyber attack tactics from brute-force hacking to more sophisticated infiltration methods.

North Korean cyber operatives have been responsible for billions of dollars in theft from the cryptocurrency space this year alone. The US Treasury and blockchain analytics firm TRM Labs have identified that the regime is increasingly using highly skilled IT workers posing as remote contractors to infiltrate US-based blockchain and crypto companies. These workers not only steal data but also exploit company access, plant malware, and collect salaries that are funneled back to the North Korean government. Their activities span various sectors, including business software, health and fitness apps, social networking, sports, entertainment, and crypto exchanges.

On July 8, the US Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against two individuals and four Russian entities linked to this crypto cyber campaign. Among those sanctioned was Song Kum Hyok, a North Korean operative and member of the Andariel hacking group, which is part of Kim Jong Un’s military intelligence wing known as the Reconnaissance General Bureau. Song is accused of masterminding a massive identity theft campaign as far back as 2022, stealing personal information from American citizens to disguise North Korean IT workers as real job applicants.

Another sanctioned individual was Gayk Asatryan, a Russian national who allegedly signed a 10-year agreement with North Korean trading firms in 2024. Asatryan formed a network called the “Asatryan IT Worker Network,” which hosted up to 30 North Korean IT specialists in Russia. This network helped these specialists secure jobs in Western tech firms. The four sanctioned individuals tied to Asatryan are now barred from accessing any assets within the US and face criminal penalties for any ongoing or future transactions with US companies.

US officials believe the ultimate goal of this cyber hacking scheme is to support North Korea’s weapons development. Treasury Deputy Secretary Michael Faulkender stated that thousands of North Korean IT workers, mostly stationed in Russia and China, are actively targeting crypto companies in wealthier nations. Their income, often obtained under fake identities, is funneled back to the regime to pay for its arsenal and nuclear warheads.

According to TRM Labs, North Korean bad actors were responsible for $1.6 billion in theft from crypto firms during the first half of the year alone. This accounts for over three-quarters of the total $2.1 billion stolen across 75 major crypto hacks in that timeframe. While exchange hacks still remain a risk, other strategies like the IT worker infiltration are becoming more preferred due to their lower visibility and high return.

On June 30, four North Korean nationals were charged with wire fraud and money laundering after allegedly posing as remote workers at blockchain firms in the US and Serbia. Earlier on June 5, the Department of Justice moved to seize $7.74 million in frozen crypto tied to North Korean IT workers. The FBI estimates that the entire moneymaking operation could be worth hundreds of millions of dollars, with funds being routed to the regime across Russia, China, and even the US.