U.S. Sanctions North Korean IT Worker Scheme Funding WMD Programs

The U.S. Treasury has taken decisive action against North Korean cyber activities by imposing sanctions on two individuals and four entities involved in a sophisticated IT worker scheme. The Office of Foreign Assets Control (OFAC) identified Song Kum Hyok, a North Korean national, as a key figure in orchestrating this scheme. Song was found to be central in recruiting North Korean nationals to obtain remote employment at unsuspecting companies using falsified identities and stolen U.S. personal information. These workers, operating from various countries, provided illicit revenue streams to the Kim regime, funding its weapons of mass destruction (WMD) and ballistic missile programs.

OFAC also sanctioned Gayk Asatryan, a Russian national, for allegedly using his companies to employ dozens of North Korean IT workers under long-term agreements signed with North Korean trading firms starting in 2024. The sanctions mean all U.S. assets connected to Asatryan, Song, and the four Russian entities are frozen, and it is now illegal for people in the U.S. to conduct any financial transactions or have business dealings with them under the threat of civil and criminal penalties.

North Korea has been notorious for its high-profile hacks, including some of the largest crypto hacks ever recorded. However, there is a shift in tactics. While exchange breaches remain significant, North Korean-linked operations are increasingly shifting toward deception-based revenue generation, including IT worker infiltration. This method involves deploying thousands of skilled IT workers embedded in tech and crypto companies worldwide. These individuals use stolen documents, proxies, and aliases to apply for remote jobs, often in Web3, software development, or blockchain infrastructure. Payments made to these workers, typically in USDC or USDT, are laundered through complex wallet structures, privacy tools, and conversion channels, ultimately benefiting North Korean-controlled entities.

Song’s role in this scheme involved creating false personas using U.S. citizens’ personal data to secure job placements for North Korean operatives. The broader network includes companies based in Russia that contracted directly with North Korean trading firms to deploy workers under long-term agreements, further entrenching the regime’s access to foreign income. The U.S. government’s coordinated action includes the Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI). On June 5, 2025, the DOJ filed a civil forfeiture complaint in the District of Columbia seeking over USD 7.7 million in cryptocurrency, NFTs, and digital assets tied to a laundering network operated by North Korean IT workers. These workers were embedded in crypto companies and tech startups, using fraudulent identities to collect stablecoin payments from U.S. employers. The proceeds were consolidated and transferred to senior North Korean operatives, including Kim Sang Man and Sim Hyon Sop, both previously sanctioned.

Investigators uncovered extensive use of Russian and UAE-based infrastructure, IP addresses, and fake documentation, underscoring the international scale of the scheme. The FBI and other law enforcement partners successfully seized digital assets linked to these laundering operations, including USDC, ETH, and high-value NFTs. Wallet activity showed a systematic effort to fragment and obfuscate funds before conversion to fiat through OTC brokers, including one sanctioned by OFAC in late 2024. The U.S. government’s actions aim to disrupt these illicit activities and protect the integrity of the global financial system.