“Treasury sanctions key player behind North Korean IT worker scheme”, 9 July 2025

A senior official within North Korea’s Reconnaissance General Bureau (RGB) was sanctioned by the United States on Tuesday for his role in facilitating the IT worker scheme in China and Russia.

Song Kum Hyok, a cyber actor associated with North Korea’s Andariel hacking group, helped provide North Korean IT workers with stolen U.S. identities that were used to obtain employment, according to the Treasury Department’s Office of Foreign Assets Control (OFAC).

The office also sanctioned Russian national Gayk Asatryan and four companies involved in a Russia-based IT worker scheme that has generated significant revenue for North Korea.

Based in North Korea, Song allegedly used U.S. names, Social Security numbers and addresses to create aliases for workers that had been hired at U.S. companies in 2022 and 2023. The workers used the information to pose as U.S. citizens while working remotely.

Song allegedly provided identities for North Korean IT workers based in China and Russia. U.S. officials said in addition to gaining millions of dollars in illicit revenue through salaries, the North Korean workers “have been known to introduce malware into company networks for additional exploitation.”

The U.S. and other nations say the IT worker scheme is one of the primary ways North Korea funds its internationally sanctioned programs for nuclear missiles and other weapons.