The U.S. Treasury has imposed sweeping sanctions on individuals and entities linked to a North Korea-run IT network accused of infiltrating American crypto companies to steal funds and sensitive data. According to the Office of Foreign Assets Control (OFAC), North Korean national Song Kum Hyok used stolen identities of U.S. citizens to help foreign-based IT operatives land jobs at American firms under false pretenses.

Also sanctioned is Russian citizen Gayk Asatryan, who allegedly employed dozens of North Korean workers through long-term deals with Pyongyang-linked trading companies beginning in 2024. Four Russian companies involved in the scheme have also been blacklisted.

This covert global operation is part of North Korea’s larger effort to generate income for its ballistic missile program. Thousands of skilled North Korean IT workers—many based in China and Russia—are said to target employers in wealthier countries using mainstream platforms and tech job networks.

The sanctions freeze all U.S.-connected assets of the named individuals and entities, and make it illegal for Americans to engage in any transactions with them. Violators face serious legal penalties.

While North Korea has been behind record-breaking crypto hacks in the past—such as the $1.5 billion Bybit attack—experts say the regime is shifting strategies. Blockchain firm TRM Labs reports that cybercriminals linked to Pyongyang are moving away from brute-force attacks and toward long-term deception, posing as freelance developers and remote contractors.

In the first half of 2025 alone, North Korea-linked actors were responsible for $1.6 billion of the $2.1 billion stolen in 75 crypto-related incidents. U.S. prosecutors continue their crackdown, recently charging four North Koreans and pursuing the seizure of $7.74 million in crypto tied to these fraud schemes.