The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on Song Kum Hyok, a 38-year-old North Korean national residing in China’s Jilin province, for his involvement in a deceptive remote information technology (IT) worker scheme orchestrated by the North Korean hacking group Andariel.
Between 2022 and 2023, Song allegedly utilized the personal information of U.S. citizens, including names, addresses, and Social Security numbers, to create false identities. These fabricated personas were then used by North Korean IT workers to secure remote employment with U.S. companies, with the intention of funneling the earned income back to the North Korean regime.
This sanction follows recent actions by the U.S. Department of Justice (DoJ), which announced a crackdown on the North Korean IT worker scheme. The operation led to the arrest of an individual and the seizure of 29 financial accounts, 21 fraudulent websites, and nearly 200 computers.
In addition to targeting Song, the Treasury Department has sanctioned Russian national Gayk Asatryan and his Russia-based companies, Asatryan LLC and Fortuna LLC. These entities were found to have employed North Korean IT workers as part of the fraudulent scheme. Furthermore, two North Korean trading corporations, Korea Songkwang Trading General Corporation and Korea Saenal Trading Corporation, were sanctioned for their roles in dispatching IT workers to Russia to work for Asatryan’s companies.
This marks the first time a member of Andariel, a sub-cluster within the notorious Lazarus Group, has been directly linked to the IT worker scheme. The Lazarus Group is associated with North Korea’s Reconnaissance General Bureau (RGB) and has a history of cyberattacks aimed at generating illicit revenue for the regime.
Deputy Secretary of the Treasury Michael Faulkender emphasized the significance of these actions, stating that they highlight the need for vigilance against North Korea’s ongoing efforts to clandestinely fund its weapons of mass destruction and ballistic missile programs. He affirmed the Treasury’s commitment to disrupting the Kim regime’s attempts to circumvent sanctions through digital asset theft, impersonation of Americans, and malicious cyber activities.
The fraudulent IT worker scheme, also known as Nickel Tapestry, Wagemole, and UNC5267, involves North Korean operatives using stolen or fabricated identities to secure remote IT positions with U.S. companies. The salaries earned through these positions are then funneled back to the North Korean regime, often through complex cryptocurrency transactions.
This insider threat is one of several methods employed by Pyongyang to generate revenue. According to data compiled by TRM Labs, North Korea was responsible for approximately $1.6 billion of the $2.1 billion stolen in 75 cryptocurrency hacks and exploits during the first half of 2025. This includes a significant heist involving the cryptocurrency exchange Bybit earlier this year.
While the U.S. has been at the forefront of countering these threats, other nations are also taking steps to address the issue. Michael Barni Barnhart, Principal i3 Insider Risk Investigator at DTEX, noted that this is a complex, transnational issue with many moving parts, and international cooperation is essential to effectively combat these cyber threats.
The Andariel group, also known as Silent Chollima and Stonefly, has been active since at least 2009. It is a sub-cluster within the Lazarus Group and is associated with North Korea’s Lab 110, a primary hacking unit that also houses APT38 (aka BlueNoroff) and other subordinate elements. Andariel has a history of conducting espionage attacks against foreign government and military entities of strategic interest, as well as engaging in cybercrime to generate additional income for the sanctions-hit nation.
In recent years, Andariel has shifted its focus to financial attacks on U.S. organizations. In August 2024, the group targeted three different organizations in the U.S. as part of a likely financially motivated attack. While the attackers did not succeed in deploying ransomware on the networks of the affected organizations, it is believed that the attacks were financially motivated.
Andariel has also been observed developing and deploying unique malware strains, such as EarlyRat, to conduct its operations. The group infects machines by executing exploits, which, in turn, download further malware from command-and-control servers.
The U.S. Treasury Department has previously sanctioned Andariel for its involvement in cyberattacks targeting critical infrastructure. In 2019, the Treasury sanctioned three North Korean hacking groups, including Andariel, for their roles in global cyberattacks. Andariel was noted for attempting to steal bank card information by hacking into ATMs to withdraw cash or steal customer information to sell on the black market. The group was also responsible for developing unique malware to hack into online poker and gambling sites to steal cash.
The recent sanctions against Song Kum Hyok and associated entities underscore the U.S. government’s commitment to combating North Korea’s illicit cyber activities. By targeting individuals and organizations involved in these schemes, the U.S. aims to disrupt the financial networks that support the North Korean regime’s weapons programs and other malign activities.
As North Korea continues to adapt and evolve its cyber operations, it is imperative for governments and organizations worldwide to remain vigilant and proactive in defending against these threats. Collaboration and information sharing among international partners are essential to effectively counter the sophisticated and persistent cyber activities emanating from North Korea.
