This week, US Treasury officials declared new sanctions targeting a North Korea‑backed network of IT workers exploiting vulnerabilities in various technology firms, especially in the cryptocurrency sector. The sanctions affect two individuals and four entities, isolating them from the US financial system.
Deputy Treasury Secretary Michael Faulkender emphasized that these measures are integral to curbing the exploitation of stolen identities and cryptocurrency theft used to finance North Korea’s missile endeavors. This approach marks a notable change from large-scale hacks to more subtle, covert operations.
Unmasking Covert Operations
Recent findings from the Office of Foreign Assets Control (OFAC) revealed that the sanctions were directed at Song Kum Hyok, a North Korean operative implicated in hijacking personal user data to fabricate identities.
Today, the Treasury’s Office of Foreign Assets Control is acting against individuals and entities facilitating the Democratic People’s Republic of Korea (DPRK) IT worker schemes.
The DPRK collects substantial income for its WMD and missile initiatives by…
— Treasury Department (@USTreasury) July 8, 2025
This operator redirected the stolen identities to recruit IT workers who sought job openings at US companies. Another identified target, Gayk Asatryan, a Russian national, engaged in extensive contracts with North Korean firms to onboard numerous North Korean tech professionals into his business operations.
All assets belonging to the sanctioned individuals and four Russian entities are now subject to freezing, prohibiting any transactions or account openings related to them, under the ongoing sanctions risks.
This afternoon the @USTreasury imposed sanctions on a key North Korean cyber actor for implementing an IT worker scheme using falsified US IDs for funding the DPRK. For more details, visit our blog here: pic.twitter.com/i7fbe9STp5
— TRM Labs (@trmlabs) July 8, 2025
Covert Workers and Cryptocurrency Financing
The scale of North Korea’s IT workforce has swelled to the thousands, with many operatives located in China and Russia. These individuals frequently apply for positions in prosperous economies through both mainstream and specialized recruitment platforms.
The OFAC’s investigation indicates that the strategy is to procure resources for missile technology by embedding adept programmers within targeted organizations. This method decreases the risk of exposure compared to traditional, high-profile attacks.
Emerging North Korean Strategies
A recent investigation by Google has revealed that such schemes have amplified on a global scale. Even though high-profile cyber attacks still generate buzz, state-sponsored entities are increasingly capitalizing on misleading tactics.
This strategy relies on data theft and impersonation as legitimate workers, rather than executing external server breaches. This approach is not only stealthy but also more cost-effective and can extend its operation for years without detection.
Increasing Cryptocurrency Theft and Tactical Shifts
According to TRM Labs, North Korea-linked entities were responsible for approximately $1.6 billion of the $2.1 billion stolen in cryptocurrency across 75 incidents in the first half of 2025. This represents a significant percentage of the total thefts.
The firm alerts that while breaches of large exchanges continue, an increasing proportion of illicit revenue is now stemming from these deceptive employment schemes.
Featured image from Getty Images, chart from TradingView
