Key Insights:
- The US government has just sanctioned two individuals and four Russian entities linked to the cyber crypto campaign.
- North Korean cyber attack operatives are more and more favoring infiltration over brute-force hacking.
- They have been responsible for billions being stolen from the crypto space in multiple events this year alone.
The United States has imposed fresh sanctions on a new North Korea-backed cyber operation. This group has allegedly been using remote job applications to funnel stolen crypto funds into Kim Jong Un’s nuclear weapons program.
The latest developments now show that North Korean cyber attacks are escalating from brute-force cyber attacks into infiltration and stealing funds from the inside. Here are the details.
Infiltration Through Employment, Not Just Crypto Hacking
North Korea’s cyber attacks have made headlines many times in the past for damaging hacks, including the notorious Lazarus Group’s involvement in some of the largest crypto thefts to date.
However, according to recent findings by the US Treasury and blockchain analytics firm TRM Labs, the regime is now investing heavily in other methods. One of the most disturbing of these is the use of highly skilled IT workers posing as remote contractors.
Today, the Treasury’s Office of Foreign Assets Control is taking action to stop individuals and entities that are enabling the Democratic People’s Republic of Korea (DPRK) IT worker schemes.
The DPRK generates significant revenue for its WMD and ballistic missile programs by…
— Treasury Department (@USTreasury) July 8, 2025
These contractors are used to secure employment in US-based blockchain and crypto companies and don’t just steal data:
Instead, they pose as real employees by assuming the identities of US citizens. They exploit company access, plant malware and collect salaries that are funneled back to the North Korean government.
According to reports, their work reportedly spans across sectors including business software, health and fitness apps, social networking, sports, entertainment and crypto exchanges.
Sanctions Target Individuals and Front Companies
On July 8, the US Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against two individuals and four Russian entities linked to the crypto cyber campaign.
Among those named was Song Kum Hyok, a North Korean operative and a member of the Andariel hacking group. For context, the Andariel hacking group is part of Kim Jong Un’s military intelligence wing known as the Reconnaissance General Bureau.
Song is accused of masterminding a massive identity theft campaign as far back as 2022. Then, he stole names, Social Security numbers, and other personal information from American citizens.
These stolen identities were then used to disguise North Korean IT workers as real job applicants.
The workers, once hired, would share the income with Song and other operatives. In some cases, they would even go as far as inserting malware into company systems.
Another sanctioned individual was Gayk Asatryan, a Russian national who allegedly signed a 10-year agreement with North Korean trading firms in 2024.
This afternoon the @USTreasury sanctioned a key North Korean cyber actor for running an IT worker scheme using fake US IDs to funnel funds to the DPRK. For more check out our blogpost here: https://t.co/MJ5a0jaoDL pic.twitter.com/i7fbe9STp5
— TRM Labs (@trmlabs) July 8, 2025
He formed a network under this deal. It was called the “Asatryan IT Worker Network”, and would host up to 30 North Korean IT specialists in Russia. He helped them with several tasks, including helping them secure jobs in Western tech firms.
And so far, the four sanctioned individuals tied to Asatryan are now barred from accessing any assets within the US. They also face criminal penalties for any ongoing or future transactions with US companies.
All To Fund Weapons of Mass Destruction
US officials believe the ultimate goal of this cyber hacking scheme that has spanned years, is to support North Korea’s weapons development. Treasury Deputy Secretary Michael Faulkender stated that thousands of North Korean IT workers, mostly stationed in Russia and China are actively targeting crypto companies in wealthier nations.
Their income, often obtained under fake identities, is funneled back to the regime to pay for its arsenal and nuclear warheads.
“The Kim regime is determined to evade sanctions using every digital loophole it can find,” Faulkender emphasized. “From digital asset theft to fake job applications, their tactics are evolving. We are using all available tools to disrupt these networks.”
Massive Losses in the Crypto Sector
According to TRM Labs, North Korean bad actors were responsible for $1.6 billion in theft from crypto firms during the first half of the year alone. This accounts for over three-quarters of the total $2.1 billion stolen across 75 major crypto hacks in that timeframe.
While exchange hacks still remain a risk, other strategies like the IT worker infiltration are becoming more and more preferred. This is due to their lower visibility and high return.
Similarly, on June 30, four North Korean nationals were charged with wire fraud and money laundering. This is after allegedly posing as remote workers at blockchain firms in the US and Serbia.
Earlier on June 5, the DOJ moved to seize $7.74 million in frozen crypto tied to North Korean IT workers. According to the FBI, the entire moneymaking operation could be worth hundreds of millions of dollars. This is with funds being routed to the regime across Russia, China, and even the US.
The post New North Korean Hacker Group Sanctioned Over Crypto Thefts In The US appeared first on Live Bitcoin News.