The Treasury has blacklisted a North Korean cyber actor for running a fraud network that planted disguised IT workers in U.S. companies.
What happened
The U.S. Department of the Treasury has sanctioned Song Kum Hyok, a member of North Korea’s Andariel hacking group, for running a scheme that helped generate revenue for the regime’s weapons programs. The operation involved placing North Korean IT workers, using stolen or falsified American identities, into remote roles at U.S. companies. Song facilitated the effort and transmitted a share of the income back to Pyongyang.
Going deeper
Andariel, a financially motivated hacking unit tied to North Korea’s Reconnaissance General Bureau and the broader Lazarus Group, has previously been linked to ransomware attacks and crypto thefts. Song’s role focused on using identity fraud to help DPRK nationals, working from countries like China and Russia, gain unauthorized access to U.S.-based remote jobs.
Some of these workers acted as insiders, installing malware and exfiltrating data from company networks. Between 2022 and 2023, Song reportedly used stolen names, Social Security numbers, and addresses from U.S. citizens to create fake job candidate profiles.
In addition to sanctioning Song, the Treasury’s Office of Foreign Assets Control (OFAC) also listed five affiliated individuals and entities, including two North Korean trading corporations and Russian business entities controlled by Russian national Gayk Asatryan.
What was said
According to the Treasury, “In some cases, these DPRK IT workers have been known to introduce malware into company networks for additional exploitation.” The statement indicates how legitimate IT job pipelines are being manipulated to finance North Korea’s weapons development.
The sanctions freeze any U.S.-based assets, ban transactions with American individuals or entities, and threaten penalties for any non-U.S. actors who continue to do business with the named parties.
The big picture
The sanctions against Song Kum Hyok represent a direct response to North Korea’s use of fraudulent remote employment to generate revenue for state programs. By placing disguised IT workers in U.S. companies, the scheme enabled unauthorized access to corporate networks and allowed earnings to be funneled back to Pyongyang. The Treasury’s action builds on earlier enforcement efforts and targets both individuals and supporting entities across multiple countries. The case proves how identity fraud and remote work infrastructure have been weaponized to support state-backed cyber operations.
FAQs
How do these North Korean IT worker schemes typically operate?
The workers apply for remote jobs using fake or stolen identities, often posing as U.S. citizens, and then funnel part of their income back to North Korea.
What risks do companies face by unknowingly hiring these workers?
Beyond reputational and regulatory risks, companies could suffer data breaches, malware infections, or compliance violations if sanctions are breached.
How do U.S. sanctions impact foreign entities working with these actors?
Any non-U.S. businesses or financial institutions that continue transactions with sanctioned individuals or companies risk secondary sanctions and enforcement actions.
What is a “laptop farm,” and how was it used in these operations?
Laptop farms refer to coordinated setups where sanctioned IT workers remotely access company systems using preconfigured devices, often located outside the U.S., to mask their true location and identity.
What can companies do to prevent hiring threat actors under false identities?
Implement stricter identity verification, require in-person or third-party onboarding for sensitive roles, and cross-check applicant data with government-issued identification and compliance watchlists.
Farah Amod
