U.S. Sanctions North Korean Cyber Operatives for Crypto Theft

The U.S. Treasury has taken decisive action against North Korean cyber activities by sanctioning two individuals and four entities involved in a scheme that infiltrated crypto companies to exploit them. The Office of Foreign Assets Control (OFAC) identified Song Kum Hyok, a North Korean national, for allegedly stealing U.S. citizens' information to create aliases for hired foreign IT workers seeking employment at U.S. companies. This operation aimed to generate revenue for North Korea's ballistic missile programs by deploying a large workforce of highly skilled IT workers globally, with a significant presence in China and Russia.

OFAC also sanctioned Gayk Asatryan, a Russian national, for allegedly using his companies to employ dozens of North Korean IT workers under long-term agreements signed with North Korean trading firms starting in 2024. The sanctions freeze all U.S. assets connected to Asatryan, Song, and the four Russian entities named, making it illegal for U.S. citizens to conduct any financial transactions or have business dealings with them under the threat of civil and criminal penalties.

North Korea has been notorious for its high-profile hacks, including the $1.5 billion Bybit exploit in February. However, there is a shift in tactics, with North Korea-aligned bad actors increasingly focusing on deception-based revenue generation, such as IT worker infiltration. This strategy involves using stolen documents, proxies, and aliases to apply for remote jobs in Web3, software development, or blockchain infrastructure. Payments made to these workers, typically in USDC or USDT, are laundered through complex wallet structures, privacy tools, and conversion channels, ultimately benefiting DPRK-controlled entities.

Song’s role in this scheme involved creating false personas using U.S. citizens’ personal data to secure job placements for DPRK operatives. The broader network includes companies based in Russia that contracted directly with North Korean trading firms to deploy workers under long-term agreements, further entrenching the regime’s access to foreign income. The U.S. government's coordinated action includes the Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI). On June 5, 2025, the DOJ filed a civil forfeiture complaint seeking over USD 7.7 million in cryptocurrency, NFTs, and digital assets tied to a laundering network operated by North Korean IT workers. These workers were embedded in crypto companies and tech startups, using fraudulent identities to collect stablecoin payments from U.S. employers. The proceeds were consolidated and transferred to senior DPRK operatives, including Kim Sang Man and Sim Hyon Sop, both previously sanctioned.

Investigators uncovered extensive use of Russian and UAE-based infrastructure, IP addresses, and fake documentation, underscoring the international scale of the scheme. The FBI and other law enforcement partners successfully seized digital assets linked to these laundering operations, including USDC, ETH, and high-value NFTs. Wallet activity showed a systematic effort to fragment and obfuscate funds before conversion to fiat through OTC brokers, including one sanctioned by OFAC in late 2024. The first half of 2025 has seen a dramatic increase in crypto-related thefts, with threat actors stealing over USD 2.1 billion across 75 hacks and exploits. North Korea is responsible for approximately USD 1.6 billion of those losses, driven by the USD 1.5 billion Bybit hack. While exchange breaches remain significant, DPRK-linked operations are increasingly shifting toward deception-based revenue generation, including IT worker infiltration.

The U.S. Treasury's action highlights the role of the DPRK’s Reconnaissance General Bureau (RGB) in supporting weapons development through cyber-enabled operations. This reinforces prior sanctions on groups including Lazarus, Bluenoroff, and the Technical Reconnaissance Bureau. The designation underscores the importance of vigilance in countering North Korea's continued efforts to clandestinely fund its weapons programs through digital asset theft, attempted impersonation of Americans, and malicious cyber-attacks. The U.S. remains committed to using all available tools to disrupt the Kim regime’s efforts to circumvent sanctions.