New North Korean Hacker Group Sanctioned Over Crypto Thefts In The US

Key Insights:

• The US government has just sanctioned two individuals and four Russian entities linked to the cyber crypto campaign.
• North Korean cyber attack operatives are more and more favoring infiltration over brute-force hacking.
• They have been responsible for billions being stolen from the crypto space in multiple events this year alone.

The United States has imposed fresh sanctions on a new North Korea-backed cyber operation. This group has allegedly been using remote job applications to funnel stolen crypto funds into Kim Jong Un’s nuclear weapons program

The latest developments now show that North Korean cyber attacks are escalating from brute-force cyber attacks into infiltration and stealing funds from the inside. Here are the details.

Infiltration Through Employment, Not Just Crypto Hacking

North Korea’s cyber attacks have made headlines many times in the past for damaging hacks, including the notorious Lazarus Group’s involvement in some of the largest crypto thefts to date

However, according to recent findings by the US Treasury and blockchain analytics firm TRM Labs, the regime is now investing heavily in other methods. One of the most disturbing of these is the use of highly skilled IT workers posing as remote contractors.

These contractors are used to secure employment in US-based blockchain and crypto companies and don’t just steal data:

Instead, they pose as real employees by assuming the identities of US citizens. They exploit company access, plant malware and collect salaries that are funneled back to the North Korean government

According to reports, their work reportedly spans across sectors including business software, health and fitness apps, social networking, sports, entertainment and crypto exchanges.

Sanctions Target Individuals and Front Companies

On July 8, the US Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against two individuals and four Russian entities linked to the crypto cyber campaign

Among those named was Song Kum Hyok, a North Korean operative and a member of the Andariel hacking group. For context, the Andariel hacking group is part of Kim Jong Un’s military intelligence wing known as the Reconnaissance General Bureau.

Song is accused of masterminding a massive identity theft campaign as far back as 2022. Then, he stole names, Social Security numbers, and other personal information from American citizens

These stolen identities were then used to disguise North Korean IT workers as real job applicants

The workers, once hired, would share the income with Song and other operatives. In some cases, they would even go as far as inserting malware into company systems

Another sanctioned individual was Gayk Asatryan, a Russian national who allegedly signed a 10-year agreement with North Korean trading firms in 2024

He formed a network under this deal. It was called the “Asatryan IT Worker Network”, and would host up to 30 North Korean IT specialists in Russia. He helped them with several tasks, including helping them secure jobs in Western tech firms

And so far, the four sanctioned individuals tied to Asatryan are now barred from accessing any assets within the US. They also face criminal penalties for any ongoing or future transactions with US companies.

All To Fund Weapons of Mass Destruction

US officials believe the ultimate goal of this cyber hacking scheme that has spanned years, is to support North Korea’s weapons development. Treasury Deputy Secretary Michael Faulkender stated that thousands of North Korean IT workers, mostly stationed in Russia and China are actively targeting crypto companies in wealthier nations

Their income, often obtained under fake identities, is funneled back to the regime to pay for its arsenal and nuclear warheads.

“The Kim regime is determined to evade sanctions using every digital loophole it can find,” Faulkender emphasized. “From digital asset theft to fake job applications, their tactics are evolving. We are using all available tools to disrupt these networks.”

Massive Losses in the Crypto Sector

While exchange hacks still remain a risk, other strategies like the IT worker infiltration are becoming more and more preferred. This is due to their lower visibility and high return

Similarly, on June 30, four North Korean nationals were charged with wire fraud and money laundering. This is after allegedly posing as remote workers at blockchain firms in the US and Serbia.

Earlier on June 5, the DOJ moved to seize $7.74 million in frozen crypto tied to North Korean IT workers. According to the FBI, the entire moneymaking operation could be worth hundreds of millions of dollars. This is with funds being routed to the regime across Russia, China, and even the US.