U.S. Sanctions North Korean IT Workers Over 'Cyber Espionage,' Crypto Thefts

The U.S. Treasury Department's sanctions watchdog added North Korean national Song Kum Hyok to its "Specially Designated Nationals" list, alleging he is "a malicious cyber actor" tied to a North Korean hacking group.

The Office of Foreign Assets Control moved to block Song from the global financial system on Tuesday, arguing he worked to place other North Korean officials in various companies as IT workers. These IT workers would then send funds back to North Korea and, in some cases, find ways of exploiting the companies they worked for to generate additional revenue.

The crypto industry has been hard-hit by these types of schemes, with numerous major thefts taking place as a result of efforts by North Korean hackers.

"The DPRK generates significant revenue through the deployment of IT workers who fraudulently gain employment with companies around the world, including in the technology and virtual currency industries," Tuesday's release said.

Late last month, crypto investigator and analyst ZachXBT said "multiple projects ... were exploited," likely due to hiring North Korean IT workers as developers.

Though Tuesday's Treasury Department release mentioned past hacks of crypto projects, it did not name any specific ones or include any crypto wallets in its sanctions list. It did note that the department had previously sanctioned the Lazarus Group, which investigators have tied to various crypto hacks across the past several years, including the $625 million theft from Axie Infinity and this year's massive $1.5 billion hack of Bybit.

"DPRK IT workers often take on projects that involve virtual currency, and they use virtual currency exchanges and trading platforms to manage funds they receive for contract work as well as to launder and remit these funds to the DPRK," the U.S. Treasury Department said Tuesday.

'Illicit Revenue Generation'

Ari Redbord, the global head of policy and government affairs at TRM Labs, said the embedded IT workers "have served as on-ramps to both illicit revenue generation and eventual intrusion activity, particularly in the crypto space."

"One notable aspect of today’s designation is the explicit reference to North Korean IT workers operating out of China and Russia," he said, adding that this shows a "growing alignment" between the DPRK and certain jurisdictions.

"This action also fits into a broader pattern. In just the last month, Treasury has taken multiple steps targeting North Korea’s use of IT workers to funnel illicit proceeds back to Pyongyang often laundered through crypto exchanges and anonymized platforms," he said.

"Song represents the operational layer behind those schemes: not the hacker, but the enabler. And that makes him just as important to disrupt. Building out networks has been a huge focus for Treasury over the last few months and this is another example of going after facilitators," Redbord added

Read more: How North Korea Infiltrated the Crypto Industry