The United States Treasury Department has imposed new sanctions targeting a North Korea-linked cyber network accused of placing IT workers inside crypto firms to steal sensitive data and divert funds to the regime’s weapons programs.
According to a July 9 announcement by the Office of Foreign Assets Control (OFAC), two individuals and four Russia-based entities were designated for their roles in helping North Korea establish a network of fraudulent tech workers embedded in US-based blockchain and crypto companies.
OFAC specifically named Song Kum Hyok, a North Korean national accused of stealing identities of US citizens to facilitate remote employment for DPRK operatives. He allegedly distributed these falsified identities to North Korean contractors to secure jobs at Western firms under false pretences.
North Korea’s cyber shift: From hacks to deception
While North Korea’s Lazarus Group and other hacker collectives have been blamed for some of the largest crypto thefts on record including the $1.5 billion Bybit hack in February 2025 new findings suggest a strategic pivot.
According to blockchain analytics firm TRM Labs, Pyongyang is increasingly shifting from high-profile exchange hacks to deception-based operations. These include embedding operatives in foreign tech firms under the guise of legitimate remote employment.
Increasingly, DPRK-linked operations are relying on long-term infiltration rather than smash-and-grab cyberattacks. The firm estimates North Korean actors accounted for $1.6 billion of the $2.1 billion in crypto losses from 75 cyber exploits in the first half of 2025 alone.
The scheme spans global infrastructure, with an April 2025 report from Google revealing that the fraud network’s backbone extends across Russia, China, and Southeast Asia, where DPRK-linked workers often operate from.
Sanctions and legal measures intensify
With this latest designation, all US-based assets held by Song, Asatryan, and the four related Russian companies are now frozen. US individuals and businesses are prohibited from conducting any transactions with them, under threat of civil or criminal penalties.
The crackdown is part of a broader campaign by US authorities to disrupt North Korea’s use of the crypto sector for sanctions evasion. On June 30, four North Koreans were charged with wire fraud and money laundering, accused of posing as remote blockchain developers based in the US and Serbia.
Earlier, on June 5, the Department of Justice moved to seize $7.74 million in crypto it says was earned by DPRK IT workers using falsified identities to work as freelance developers for US crypto startups.
As North Korea seeks to sidestep sanctions through digital channels, these enforcement actions are likely just the beginning. The Treasury and Department of Justice are expected to continue ramping up surveillance, prosecutions, and seizure operations targeting cyber-financed weapons programs.