U.S. Sanctions North Korean IT Workers for Crypto Theft

The U.S. Treasury has taken decisive action against North Korean cyber activities by sanctioning two individuals and four entities involved in a scheme where North Korean IT workers infiltrated crypto companies to exploit them. The Office of Foreign Assets Control (OFAC) identified Song Kum Hyok, a North Korean national, for allegedly stealing U.S. citizens' information to create aliases for hired foreign IT workers seeking employment at U.S. companies. Additionally, Gayk Asatryan, a Russian national, was sanctioned for employing dozens of North Korean IT workers under long-term agreements with North Korean trading firms starting in 2024.

This action highlights the growing infiltration operations by North Korean tech workers, who have been expanding their schemes globally. The Treasury remains committed to disrupting the Kim regime’s efforts to circumvent sanctions through digital asset theft, impersonation of Americans, and malicious cyber-attacks. North Korea aims to generate revenue for its ballistic missile programs by deploying a large workforce of highly skilled IT workers worldwide, primarily targeting employers in wealthier countries.

The sanctions freeze all U.S. assets connected to the sanctioned individuals and entities, making it illegal for U.S. citizens to conduct any financial transactions or business dealings with them. This move is part of a broader effort to counter North Korea’s misuse of the crypto ecosystem and its evolving tactics, which now include deception-based revenue generation through IT worker infiltration. The U.S. government’s coordinated efforts, involving the Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI), demonstrate a strong commitment to disrupting North Korea’s attempts to circumvent sanctions.

On June 5, 2025, the DOJ filed a civil forfeiture complaint seeking over USD 7.7 million in cryptocurrency, NFTs, and digital assets tied to a laundering network operated by North Korean IT workers. These workers, using fraudulent identities, collected stablecoin payments from U.S. employers, which were then routed through centralized exchanges and self-hosted wallets before being transferred to senior North Korean operatives. The FBI and other law enforcement partners successfully seized digital assets linked to these laundering operations, including USDC, ETH, and high-value NFTs.

The first half of 2025 has seen a dramatic increase in crypto-related thefts, with threat actors stealing over USD 2.1 billion across 75 hacks and exploits. North Korea is responsible for approximately USD 1.6 billion of those losses, driven by the USD 1.5 billion Bybit hack. While exchange breaches remain significant, North Korean-linked operations are increasingly shifting toward deception-based revenue generation, including IT worker infiltration. This shift highlights the evolving tactics used by North Korea to evade sanctions and generate illicit revenue.

The U.S. Treasury’s action against North Korean cyber activities is part of a broader effort to counter the regime’s misuse of the crypto ecosystem. The designation of Song Kum Hyok and the associated entities underscores the importance of vigilance in countering North Korea’s cyber threats. The coordinated efforts by the U.S. government, including OFAC, DOJ, and FBI, demonstrate a commitment to disrupting the Kim regime’s attempts to circumvent sanctions through digital asset theft and cyber-attacks.