The U.S. Department of the Treasury recently imposed sanctions on Song Kum Hyok, a North Korean cyber operative linked to the notorious Andariel hacking group. This action targets his central role in orchestrating a fraudulent IT worker scheme that generated illicit revenue for the North Korean regime, supporting its weapons of mass destruction (WMD) and ballistic missile programs.
Key Details of the Scheme
Who Was Sanctioned:
Song Kum Hyok, a 38-year-old North Korean national associated with the Andariel group, which operates under North Korea’s Reconnaissance General Bureau (RGB)—the country’s main military intelligence agency.
How the Scheme Worked
Song facilitated the recruitment of North Korean IT workers, primarily based in China and Russia. He provided these workers with stolen U.S. identities, including names, addresses, and Social Security numbers, to create aliases. Using these false identities, the workers posed as U.S. citizens and secured remote employment with unwitting U.S. and international companies.
The workers’ salaries, often paid in cryptocurrency, were funneled back to the North Korean regime through complex laundering channels.
Bad boys, bad boys
In addition to generating revenue, some of these IT workers introduced malware into company networks, enabling further cyber exploitation and theft. The scheme exploited mainstream freelance and payment platforms, targeting sectors such as business, health, fitness, social networking, and entertainment.
Broader Sanctions and Enforcement
The U.S. also sanctioned Russian national Gayk Asatryan and four companies involved in similar Russia-based IT worker schemes, which contracted and hosted North Korean workers under formal agreements. These international networks provided a legal framework for North Korean workers to access global markets and obscure the true nature of their employment.
U.S. Government Statements
Officials emphasized the importance of remaining vigilant against North Korea’s efforts to clandestinely fund its WMD and ballistic missile programs through cyber-enabled operations and digital asset theft. The Treasury Department reaffirmed its commitment to disrupting the Kim regime’s attempts to circumvent international sanctions through impersonation, cyberattacks, and the export of IT workers.
Impact and Compliance
- All property and interests of sanctioned individuals and entities in U.S. custody are blocked.
- U.S. persons are prohibited from engaging in transactions with these designated parties, and violations may result in civil or criminal penalties.
- The sanctions are part of ongoing efforts to counter North Korea’s strategic use of cyber operations for revenue generation and espionage
