US Treasury officials announced sanctions this week aimed at shutting down a North Korea‑backed IT worker network that targeted crypto firms and other tech companies. Two individuals and four entities are now cut off from the US financial system.
According to Treasury Deputy Secretary Michael Faulkender, these steps are meant to stop the misuse of stolen identities and crypto theft that funds North Korea’s missile programs. It’s a sharp pivot from giant hacks to undercover operations.
Stealth Operations Uncovered
Based on reports from the Office of Foreign Assets Control (OFAC), the sanctions hit Song Kum Hyok, a North Korea‑based operator accused of stealing US citizens’ data to create fake identities.
Today, the Treasury’s Office of Foreign Assets Control is taking action to stop individuals and entities that are enabling the Democratic People’s Republic of Korea (DPRK) IT worker schemes.
The DPRK generates significant revenue for its WMD and ballistic missile programs by…
— Treasury Department (@USTreasury) July 8, 2025
The operator then funneled those aliases to hired IT workers who applied to US firms. The other target is Gayk Asatryan, a Russian national who signed long‑term deals in 2024 with North Korean trading firms to employ dozens of North Korean developers in his companies.
All US assets tied to them—and to the four Russian entities named—are now frozen. That means Americans can’t make payments or open accounts linked to those sanctioned parties without risking civil or criminal penalties.
This afternoon the @USTreasury sanctioned a key North Korean cyber actor for running an IT worker scheme using fake US IDs to funnel funds to the DPRK. For more check out our blogpost here: https://t.co/MJ5a0jaoDL pic.twitter.com/i7fbe9STp5
— TRM Labs (@trmlabs) July 8, 2025
Hidden Workforce And Crypto Funding
North Korea’s IT workforce now numbers in the thousands. Most are based in China and Russia, but they apply for jobs at firms in wealthier countries via mainstream and niche recruiting sites.
According to OFAC, the aim is to raise cash for ballistic missile work by embedding skilled coders inside target firms. It’s a model that spreads risk and makes detection harder than a single big attack.
North Korea’s New Tactics
A recent Google study found that this kind of scheme has gone global. While elaborate hacks still grab headlines, state‑aligned groups are increasingly banking on deception.
That involves stealing data and posing as trusted workers rather than breaking into servers from the outside. It’s quieter. It’s often cheaper. And it can keep running for years before anyone notices.
Rising Crypto Losses And Shifts In Strategy
Blockchain‑intelligence firm TRM Labs reports that North Korea‑linked actors were behind about $1.6 billion of the $2.1 crypto stolen across 75 crypto hacks and exploits in the first half of 2025.
It’s a huge chunk. TRM Labs warns that while big exchange breaches still happen, a growing share of revenue now comes from these false‑identity worker schemes.
Featured image from Getty Images, chart from TradingView