US Treasury Sanctions North Korean IT Workers Over Crypto Fraud Scheme

Treasury Department Targets North Korea-Linked IT Worker Ring

The US Treasury has imposed sanctions on two individuals and four entities connected to a North Korea-operated IT worker scheme targeting cryptocurrency companies. The Treasury's Office of Foreign Assets Control announced the sanctions on Tuesday, citing infiltration attempts aimed at exploiting crypto businesses.

Key Individuals Sanctioned for Identity Theft and Fraud

The sanctions target Song Kum Hyok, a North Korea-based individual accused of stealing US citizens' personal information. Treasury officials say Song provided stolen identities to foreign IT workers who used these aliases to seek employment at US companies.

Russian national Gayk Asatryan also faced sanctions for allegedly employing dozens of North Korean IT workers through his companies. Asatryan reportedly signed long-term agreements with North Korean trading firms beginning in 2024.

North Korean IT Worker Infiltration Expands Globally

Fraudulent tech workers with ties to North Korea have been expanding their infiltration operations worldwide. A Google report from April revealed that the infrastructure supporting these schemes has spread across multiple countries beyond the United States.

Treasury Deputy Secretary Michael Faulkender emphasized the department's commitment to disrupting North Korea's efforts to circumvent sanctions through digital asset theft, identity impersonation, and cyber attacks.

Thousands of IT Workers Fund Missile Programs

The Treasury department reports that North Korea deploys thousands of highly skilled IT workers globally to generate revenue for its ballistic missile programs. The majority of these workers operate from China and Russia, primarily targeting employers in wealthier countries.

These workers utilize various mainstream and industry-specific networking platforms to secure employment and infiltrate target organizations.

Sanctions Impact and Legal Consequences

The new sanctions freeze all US assets connected to Asatryan, Song, and the four named Russian entities. US persons are now prohibited from conducting financial transactions or business dealings with these sanctioned parties, with violations subject to civil and criminal penalties.

North Korea Shifts from Hacking to IT Worker Infiltration

North Korea has historically relied on high-profile cryptocurrency hacks through groups like Lazarus Group, responsible for some of the largest crypto thefts in history. However, blockchain intelligence firm TRM Labs indicates a tactical shift toward deception-based revenue generation.

While exchange breaches remain significant, North Korea-linked operations increasingly focus on IT worker infiltration schemes rather than direct hacking attempts.

Massive Cryptocurrency Theft Attribution

TRM Labs estimates that North Korea-aligned actors are responsible for $1.6 billion of the $2.1 billion stolen across 75 crypto hacks and exploits in the first half of 2025. This represents a substantial portion of total cryptocurrency theft during this period.

US Authorities Increase Enforcement Actions

US authorities have intensified their crackdown on fraudulent North Korean IT worker schemes throughout 2025. On June 30, four North Korean nationals faced charges for wire fraud and money laundering after posing as remote workers at US and Serbian blockchain companies.

Additionally, on June 5, the US Department of Justice announced efforts to seize $7.74 million in frozen cryptocurrency allegedly earned by North Korean IT workers using fake identities while working as remote contractors at blockchain firms.

Ongoing Security Threats to Crypto Industry

The sanctions highlight the persistent security threats facing the cryptocurrency industry from state-sponsored actors. North Korean IT workers continue to target crypto companies through sophisticated infiltration schemes, combining traditional cybercrime tactics with employment fraud.

These operations represent a significant evolution in North Korea's approach to cryptocurrency theft, moving beyond direct hacking to more subtle, long-term infiltration strategies that can provide sustained access to target organizations.

The Treasury's action demonstrates the US government's commitment to protecting the cryptocurrency sector from foreign interference and maintaining the integrity of digital asset markets through targeted sanctions and enforcement actions.