US Sanctions North Korean Hacker Song Kum Hyok for Cyber Fraud

The US Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on North Korean cyber actor Song Kum Hyok. This action is part of a broader effort to disrupt the Democratic People’s Republic of Korea’s (DPRK) military projects and financial operations. Song Kum Hyok is associated with the Andariel hacking group and has been instrumental in facilitating fraudulent employment schemes for DPRK IT workers. These schemes involve recruiting DPRK nationals in Russia and China, providing them with false identities and nationalities to work for unsuspecting firms. The program exploits innocent businesses to generate revenue for the DPRK government, often through the infection of business networks with malware.

Song Kum Hyok’s operations have been particularly sophisticated, using stolen personal data to create aliases for hired foreign workers. These workers then pose as US persons seeking remote employment, targeting employers in wealthier countries through mainstream freelance contracting and payment platforms. The applications developed by DPRK IT workers span various sectors, including business, health, fitness, social networking, and entertainment. The DPRK maintains thousands of highly skilled IT workers globally, primarily located in China and Russia, who generate revenue that contributes to the regime’s weapons of mass destruction programs. These workers often take projects involving virtual currency and use crypto exchanges for fund management.

Song Kum Hyok faces designation under Executive Order 13694 for receiving funds through cyber-enabled means. This designation targets commercial advantage and private financial gain from misappropriated information and resources. The sanctions also extend to Russian citizen Gayk Asatryan, who contracts North Korean IT personnel through Russian-based businesses. Asatryan and Korea Songkwang Trading General Corporation inked a 10-year agreement in the middle of 2024, allowing the dispatch of up to 30 DPRK IT workers to Russia for Asatryan Limited Liability Company. Asatryan also contracted with Korea Saenal Trading Corporation for additional worker deployment arrangements, with Fortuna Limited Liability Company sending 50 DPRK IT specialists to Russia. Both companies operate under Asatryan’s control to facilitate the worker placement schemes.

OFAC designated Asatryan under Executive Order 13722 for attempting to export workers from North Korea. The designation targets revenue generation for the Government of North Korea and Workers’ Party. Asatryan LLC and Fortuna LLC face sanctions for being owned or controlled by Asatryan. Korea Songkwang Trading General Corporation and Korea Saenal Trading Corporation also face sanctions for engaging in commercial activity generating regime revenue. These DPRK companies facilitate the overseas deployment of IT workers through contractual arrangements, operating across multiple jurisdictions to obscure the true nature of employment relationships. Russian companies provide legal frameworks for DPRK worker deployment while maintaining plausible deniability, allowing North Korean workers to access international markets through Russian business entities.

These contracts formalize what previously operated as informal worker placement schemes across international borders. The structured approach indicates increased sophistication in DPRK revenue generation efforts through legitimate business channels. The sanctions action is part of the US government's efforts to counter DPRK strategic interests through cyber espionage. Deputy Secretary Michael Faulkender highlighted the importance of remaining vigilant against DPRK financing of weapons programs. The US Treasury is dedicated to stopping attempts by the Kim dictatorship to use digital asset theft as a means of evading sanctions. The Lazarus Group, Bluenoroff, and Andariel were previously sanctioned by OFAC on September 13, 2019, for planning virtual currency thefts. The Technical Reconnaissance Bureau was sanctioned on May 23, 2023, for the development of offensive cyber capabilities. Its sub-unit cyber organization, the 110th Research Center, is also sanctioned for assisting DPRK activities. United Nations Security Council Resolution 2270 sanctioned the RGB in March 2016 for assistance in weapons development.

All property and interests of blocked persons held in US custody must be blocked. Entities controlled by 50% or more of the blacklisted individuals are likewise blocked. US citizens are required by law to notify OFAC of any banned property. OFAC rules bar US persons from engaging in any transaction with blocked persons unless authorized properly. Offenses of sanctions by US persons can be criminal or civil in nature for foreign or domestic persons. Banks may face sanctions for transactions with listed persons. The end objective is centered on the delivery of positive behavioral adjustment instead of punishment. OFAC is empowered to delist individuals from the Specially Designated Nationals List as necessary. Integrity in sanctions stems from designation and delisting power under existing legal frameworks.