Warning

Please be vigilant about TRM impersonation scams, especially those claiming to assist with fund recovery. More info

Solutions
Products
RESOURCES
Customers
Company
Request a demo
en
Search
Search
Insights
July 7, 2025

US Treasury Sanctions North Korean Cyber Facilitator Linked to IT Worker Scheme

TRM BlogInsightsInsights
US Treasury Sanctions North Korean Cyber Facilitator Linked to IT Worker Scheme

On July 8, 2025, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Song Kum Hyok, a DPRK-based cyber actor affiliated with the North Korean hacking unit Andariel. Song played a central role in orchestrating an IT worker scheme, recruiting North Korean nationals to obtain remote employment at unsuspecting companies using falsified identities and U.S. personal information. These workers operated from countries including China and Russia, providing illicit revenue streams to the Kim regime. OFAC also designated one individual and four entities linked to a Russia-based DPRK IT worker network.

“Today’s action underscores the importance of vigilance on the DPRK’s continued efforts to clandestinely fund its WMD and ballistic missile programs,” said Deputy Secretary of the Treasury Michael Faulkender.  “Treasury remains committed to using all available tools to disrupt the Kim regime’s efforts to circumvent sanctions through its digital asset theft, attempted impersonation of Americans, and malicious cyber-attacks.”

The action highlights the role of the DPRK’s Reconnaissance General Bureau (RGB) in supporting weapons development through cyber-enabled operations and reinforces prior sanctions on groups including Lazarus, Bluenoroff, and the Technical Reconnaissance Bureau. In announcing the designations, Treasury officials emphasized the threat posed by North Korea’s continued digital asset theft and the exploitation of US systems to evade sanctions.

North Korea’s global IT worker threat

The designation highlights a growing method of revenue generation for North Korea: the deployment of thousands of skilled IT workers embedded in tech and crypto companies worldwide. These individuals mask their origins using stolen documents, proxies, and aliases to apply for remote jobs — often in Web3, software development, or blockchain infrastructure. Payments made to these workers, typically in USDC or USDT, are laundered through complex wallet structures, privacy tools, and conversion channels, ultimately benefiting DPRK-controlled entities.

Song’s role in this scheme involved creating false personas using US citizens’ personal data to secure job placements for DPRK operatives. The broader network includes companies based in Russia that contracted directly with North Korean trading firms to deploy workers under long-term agreements, further entrenching the regime’s access to foreign income.

Coordinated US government action: OFAC, DOJ, and FBI

Today’s OFAC action follows a series of moves by the U.S. government targeting the same ecosystem with a focus on building out networks of facilitators like Song. On June 5, 2025, the Department of Justice filed a civil forfeiture complaint in the District of Columbia seeking over USD 7.7 million in cryptocurrency, NFTs, and digital assets tied to a laundering network operated by North Korean IT workers. These workers were embedded in crypto companies and tech startups, using fraudulent identities like “Joshua Palmer” and “Alex Hong” to collect stablecoin payments from US employers.

According to DOJ, the proceeds — often routed through centralized exchanges and self-hosted wallets — were consolidated and transferred to senior DPRK operatives, including Kim Sang Man and Sim Hyon Sop, both previously sanctioned. Investigators uncovered extensive use of Russian and UAE-based infrastructure, IP addresses, and fake documentation, underscoring the international scale of the scheme.

TRM graph showing IT worker proceeds first routed through centralized exchanges and self-hosted wallets before bring transferred to senior DPRK operatives, including Kim Sang Man and Sim Hyon Sop

The FBI and other law enforcement partners successfully seized digital assets linked to these laundering operations, including USDC, ETH, and high-value NFTs. Wallet activity showed a systematic effort to fragment and obfuscate funds before conversion to fiat through OTC brokers, including one sanctioned by OFAC in late 2024.

Surge in North Korea-linked crypto hacks in H1 2025

The first half of 2025 has seen a dramatic increase in crypto-related thefts. According to TRM, threat actors stole over USD 2.1 billion stolen across 75 hacks and exploits. North Korea is responsible for approximately USD 1.6 billion of those losses — nearly 70% — driven by the USD 1.5 billion Bybit hack. While exchange breaches remain significant, DPRK-linked operations are increasingly shifting toward deception-based revenue generation, including IT worker infiltration.

TRM Labs continues to track these evolving threats, supporting global law enforcement and national security agencies in investigating hacks, tracing laundering flows, and helping freeze and recover illicit assets. From network analysis to tracking illicit IT worker payments, TRM's intelligence tools remain central to countering North Korea’s misuse of the crypto ecosystem.

This is some text inside of a div block.
TRM Team

Related posts

arrow right
BLOG
June 5, 2025

DOJ Seeks Forfeiture of $7.7 Million in Cryptocurrency Tied to North Korean IT Worker Laundering Network

arrow right
BLOG
June 26, 2025

H1 2025 Crypto Hacks and Exploits: A New Record Amid Evolving Threats

arrow right
BLOG
February 27, 2025

The Bybit Hack: Following North Korea’s Largest Exploit

No posts to show
No posts to show
No posts to show
No posts to show
No posts to show

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Subscribe and stay up to date with our insights
No items found.
3D illustration of a blue magnifying glass hovering over a digital fingerprint on a dark background, symbolizing crypto investigations or forensic analysis.
FLIP BOOK
Learn more about common crypto-enabled scam typologies in our "Investigating Crypto Scams" flip book
Get your copy →
Illustration of a stablecoin represented by a dollar symbol surrounded by icons for growth, risk alert, user profiles, and a security shield with a target, connected through a network of hexagons — symbolizing the interconnected risks and compliance considerations in digital asset ecosystems.
USE CASE
Learn how TRM helps compliance teams monitor exposure, detect threats, and safeguard their organizations
TRM for stablecoin risk management →
A worn silver wrench tool on a brown-red background, as a metaphor for violent crime
BLOG
Learn about the recent rise of "wrench attacks" and crypto-related violent crime
Read the post →
Illustration of a financial institution icon and a compliance document with checkboxes, symbolizing regulatory due diligence and financial compliance in the digital asset ecosystem.
GUIDE
Learn best practices for evaluating the legal, operational, and financial integrity of crypto entities before engagement
Get the guide →
A judge's gavel rests beside a stack of gold-colored cryptocurrency tokens, including Bitcoin, Dogecoin, Ethereum, and others, symbolizing the intersection of digital assets and regulatory or legal oversight.
REGULATORY ACTION TRACKER
Stay updated on the latest crypto-linked regulatory actions available in the public domain
Check it out →
Screenshot of the splash page used by law enforcement agencies following the takedown of Garantex, with bold red lettering reading, "This domain has been seized," along with the logos of various international law enforcement agencies involved in the action.
BLOG
Learn more about the global law enforcement operation that took down Garantex
Read the post →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT