U.S. blacklists North Korean network tied to crypto hacks

NEWS IN BRIEF

US Treasury sanctions individuals and firms linked to North Korea’s crypto-focused IT worker infiltration scheme.
Thousands of North Korean tech workers planted in Western firms to fund missile programs, officials say.
TRM Labs notes a shift in DPRK cybercrime tactics from hacking to deception-driven operations.

The United States Treasury Department has imposed new sanctions targeting a North Korea-linked cyber network accused of placing IT workers inside crypto firms to steal sensitive data and divert funds to the regime’s weapons programs.

According to a July 9 announcement by the Office of Foreign Assets Control (OFAC), two individuals and four Russia-based entities were designated for their roles in helping North Korea establish a network of fraudulent tech workers embedded in US-based blockchain and crypto companies.

OFAC specifically named Song Kum Hyok, a North Korean national accused of stealing identities of US citizens to facilitate remote employment for DPRK operatives. He allegedly distributed these falsified identities to North Korean contractors to secure jobs at Western firms under false pretences.

Subscribe to our

Get weekly updates on the newest crypto stories, case studies and tips right in your mailbox.

Today, the Treasury's Office of Foreign Assets Control is taking action to stop individuals and entities that are enabling the Democratic People's Republic of Korea (DPRK) IT worker schemes.

The DPRK generates significant revenue for its WMD and ballistic missile programs by…
— Treasury Department (@USTreasury) July 8, 2025

North Korea’s cyber shift: From hacks to deception

While North Korea’s Lazarus Group and other hacker collectives have been blamed for some of the largest crypto thefts on record including the $1.5 billion Bybit hack in February 2025 new findings suggest a strategic pivot.

According to blockchain analytics firm TRM Labs, Pyongyang is increasingly shifting from high-profile exchange hacks to deception-based operations. These include embedding operatives in foreign tech firms under the guise of legitimate remote employment.

Increasingly, DPRK-linked operations are relying on long-term infiltration rather than smash-and-grab cyberattacks. The firm estimates North Korean actors accounted for $1.6 billion of the $2.1 billion in crypto losses from 75 cyber exploits in the first half of 2025 alone.

The scheme spans global infrastructure, with an April 2025 report from Google revealing that the fraud network’s backbone extends across Russia, China, and Southeast Asia, where DPRK-linked workers often operate from.

🚨 This afternoon the @USTreasury sanctioned a key North Korean cyber actor for running an IT worker scheme using fake US IDs to funnel funds to the DPRK. For more check out our blogpost here: https://t.co/MJ5a0jaoDL pic.twitter.com/i7fbe9STp5
— TRM Labs (@trmlabs) July 8, 2025

Sanctions and legal measures intensify

With this latest designation, all US-based assets held by Song, Asatryan, and the four related Russian companies are now frozen. US individuals and businesses are prohibited from conducting any transactions with them, under threat of civil or criminal penalties.

The crackdown is part of a broader campaign by US authorities to disrupt North Korea’s use of the crypto sector for sanctions evasion. On June 30, four North Koreans were charged with wire fraud and money laundering, accused of posing as remote blockchain developers based in the US and Serbia.

Earlier, on June 5, the Department of Justice moved to seize $7.74 million in crypto it says was earned by DPRK IT workers using falsified identities to work as freelance developers for US crypto startups.

As North Korea seeks to sidestep sanctions through digital channels, these enforcement actions are likely just the beginning. The Treasury and Department of Justice are expected to continue ramping up surveillance, prosecutions, and seizure operations targeting cyber-financed weapons programs.