Skip to content

US sanctions North Korean hacker for running fraud IT worker scheme

  • by
  • 3 min read

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned a North Korean hacker linked with the hacking group Andariel. The individual, a 38-year-old man named Song Kum Hyok, was allegedly hiring IT workers to seek remote employment in US-based companies and splitting the income.

Between 2022 and 2023, Song is claimed to have used stolen identities of US citizens, including their names, addresses, and Social Security numbers, to craft false identities for his team of foreign-hired workers. The workers then used these identities to apply for remote jobs in the US.

This is a rather popular scheme used by North Korea to fund various government projects, including its missile programs. North Korean IT workers also use deepfakes to create fake identities and appear for online job interviews to secure high-paying remote jobs and send earnings back to the DPRK.

This is an image of dark web hacker security

The US Department of Justice has only recently announced action against this scheme, including the arrest of an individual, and massive seizures, including 29 financial accounts, 21 fake websites, and almost 200 computers. However, this time, the DPRK wasn’t the only target. Sanctions have been issued against a Russian national and four entities “involved in a Russia-based IT worker scheme that has generated revenue for the DPRK.” These include:

  • Gayk Asatryan, who employed DPRK IT workers in his Russian companies named Asatryan LLC and Fortuna LLC.
  • The Korea Songkwang Trading General Corporation, which partnered with Asatryan to send 30 IT workers to work in Russia under the company’s name.
  • The Korea Saenal Trading Corporation, which signed a similar deal with Asatryan and sent as many as 50 IT workers to work in Russia under Fortuna LLC.

The Andariel hacking group is a sub-cluster within the infamous North Korean state-sponsored hacking group known as Lazarus. This is the first instance of an Andariel member being linked with the DPRK IT worker scheme.

This has become a significant stream of income for the North Korean regime, in addition to frequent cryptocurrency hacks. A report from TRM Labs claims that North Korean hackers were responsible for nearly $1.6 billion of the total $2.1 billion in losses as a result of nearly 75 crypto hacks in the first half of 2025.

In the News: M&S confirms April cyberattack was ransomware

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>