The Infiltration Of North Korean IT Workers Into American Businesses

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on North Korean national Song Kum Hyok and Russian national Gayk Asatryan for their roles in facilitating North Korea’s IT workers infiltrate into the American workforce.

The North Korean national was identified as Song Kum Hyok, and he was found to have direct ties to North Korea’s Reconnaissance General Bureau (RGB) and its notorious hacking unit, Andariel.

Using the data he has stolen from U.S citizens, Song helped to provide false identities for these North Korean workers so they could hide under the radar and remain undetected by their employers.

These fake ID often allow these North Korean IT workers to get hired by American companies where they would work as remote workers. It was also noted that these IT workers often target crypto-related firms.

The earnings from these jobs were then split with Song, ultimately channeling funds back to North Korea’s sanctioned weapons programs.

Meanwhile, the Russian national, Gayk Asatryan, was caught employing dozens of North Korean IT workers to work at his two companies-Asatryan LLC and Fortuna LLC.

These workers were contracted through North Korean state trading companies, specifically Korea Songkwang Trading Corporation and Korea Saenal Trading Corporation, both of which have also been sanctioned for their involvement in dispatching workers overseas to generate revenue for the regime.

North Korea’s Evolving Cyber Operations

The operations conducted by the two men were part of North Korea's wider operation to infiltrate crypto and tech firms worldwide.

Once embedded, these operatives exploit freelance platforms and crypto exchanges to receive and launder funds, ultimately sending the proceeds back to North Korea.

The Treasury highlighted that these workers are trained to deliberately conceal their identities, locations, and nationalities by using false personas, proxy accounts, stolen identities, and forged documentation.

This sophisticated approach allows them to bypass standard security checks and embed themselves within legitimate companies.

Investigators also noted a significant evolution in North Korea’s cyber strategy. While earlier operations focused on direct cyberattacks by groups like Lazarus, the regime now increasingly relies on planting workers into legitimate organizations as their main strategy to fund the North Korean regime.

Crypto investigator ZachXBT estimates that up to 920 North Korean IT workers have infiltrated positions within the digital asset sector, collectively generating over $16 million in payroll from unsuspecting employers.

The U.S. authorities have recognised the rising threat of these operations and have intensified efforts to dismantle the infrastructure supporting North Korea’s IT infiltration schemes.

The Department of Justice has recently brought criminal charges against operatives linked to the DPRK and is actively pursuing asset forfeiture cases targeting millions of dollars in laundered cryptocurrency.

These actions underscore a strategic initiative to disrupt North Korea’s ability to exploit the global crypto sector for revenue, particularly as the regime continues to prioritize funding for its weapons programs through illicit cyber operations.