OFAC Sanctions Key Players in North Korea’s Remote IT Worker Scheme Funding Weapons Programs

In a decisive move to counter North Korea’s use of cyber-enabled tactics to fund its weapons development, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on key individuals and entities tied to the Democratic People’s Republic of Korea’s (DPRK) Reconnaissance General Bureau (RGB) and its affiliated Andariel hacking group.

Among those sanctioned is Song Kum Hyok, a DPRK-based malicious cyber actor linked to Andariel. Song is accused of facilitating a clandestine IT worker scheme involving DPRK nationals operating under false identities from countries like China and Russia.

According to the Treasury’s release, Song orchestrated a scheme in which North Korean IT professionals were embedded into global companies—often posing as citizens of the U.S. or other countries. These operatives used falsified documentation, proxy accounts, and stolen identities to land jobs in industries such as technology, health, finance, and especially virtual currency.

Once inside corporate networks, these DPRK operatives sometimes went beyond passive infiltration. In some cases, they introduced malware for further exploitation, directly compromising sensitive infrastructures.

“Song used U.S. persons’ information, including names, Social Security numbers, and addresses to create aliases for the hired foreign workers… posing as U.S. persons looking for remote jobs with U.S. companies,” the Treasury revealed.

OFAC has reaffirmed that Andariel—a subordinate of the RGB—is deeply entrenched in cyber espionage and financial theft operations to support North Korea’s military ambitions. Previously, OFAC sanctioned the Lazarus Group, Bluenoroff, and Andariel in 2019, following evidence of virtual currency heists and malware campaigns.

In its latest action, the Treasury also highlighted Song’s violation of Executive Order 13694, later amended by E.O. 14306, for cyber-enabled misappropriation of financial and personal data that threatens U.S. national security and economic stability.

Sanctions weren’t limited to Song. OFAC also named Gayk Asatryan, a Russian national, for facilitating the deployment of DPRK IT workers into Russia. Through Asatryan LLC and Fortuna LLC, he signed contracts to host up to 80 North Korean workers, in direct violation of international sanctions.

“Asatryan signed a 10-year contract with Korea Songkwang Trading… and another with Korea Saenal Trading Corporation to dispatch DPRK IT workers to Russia,” the advisory states.

These workers generated revenue funneled back to the North Korean government, despite sanctions aimed at choking off funding for nuclear and missile programs.

The DPRK’s IT worker program is no ordinary labor export—it’s a well-organized state-sponsored campaign. Treasury officials emphasized that these schemes are “precision-engineered digital infiltrations” designed to bypass sanctions and fuel cyber espionage.

OFAC warns companies across the globe—especially in the virtual currency and technology sectors—to be on alert:

• Verify identities rigorously
• Monitor developer activity for anomalies
• Enforce strict access control and insider threat detection

Related Posts:

• Sanctions Risk in Open Source: Linux Foundation Offers Guidance
• OFAC Sanctions Russian “Bulletproof Host” Aeza Group: Linked to Ransomware, Infostealers & Darknet
• The US announces sanctions against Russian individuals and companies tied to worldwide hacking
• DPRK IT Workers: A Global Threat Expanding in Scope and Scale
• DOJ Dismantles North Korean IT Job Scam: Stolen Identities & Laundering Funded DPRK Weapons