The Treasury Department has levied sanctions against a North Korean cyber operative and notorious member of Kim Jong Un’s military intelligence agency, formally known as the “Reconnaissance General Bureau.”
The U.S. has accused Song Kum Hyok of facilitating an IT worker scheme and charges that the member of the “Andariel” hacking group recruited North Korean cyber operatives to pose as American remote workers for hire at unwitting companies worldwide. The sprawling scheme, according to the Treasury Department, allowed North Koreans operating in China and Russia to collect paychecks as a way of fundraising for Kim’s nuclear missile program. In some cases, North Korean IT workers have gone as far as to plant malware into company networks.
In 2022, Song began choreographing the moneymaking plot that stole personal information of U.S. citizens – including names, Social Security numbers, and addresses – in order to create aliases for the hired foreign workers disguised as American job applicants, with whom he ultimately split the proceeds.
As CBS News has reported, North Korea deploys IT workers worldwide to fraudulently seek jobs with top companies, allowing North Korean cyber operatives to take home a hefty paycheck that is ultimately funneled to the regime. The moneymaking scheme is worth hundreds of millions, according to FBI senior officials.
Treasury officials said North Korea’s IT worker scheme employs “thousands of highly skilled workers” who are primarily located in China and Russia, ultimately channeling funds to Kim Jong Un’s weapons of mass destruction and ballistic missile programs.
As part of its crackdown on Kim Jong Un’s growing cyber espionage campaign and attempted impersonation of American workers, the department’s Office of Foreign Assets Control, known as OFAC, is also sanctioning four entities that it found were funneling money to North Korea as part of a Russia-based IT worker scheme.
The Treasury Department is also targeting the Russia-based “Asatryan IT Worker Network.” The network’s founder, Gayk Asatryan, according to the department, was found to have signed a 10-year contract with the North Korean regime in 2024, agreeing to dispatch as many as 30 North Korean IT workers to work in Russia for his company, part of a broad money-making scheme.
The government’s efforts to undercut North Korea’s “unlawful weapons development,” stem from a March 2016 United Nations Security Council Resolution.
“Today’s action underscores the importance of vigilance on the DPRK’s continued efforts to clandestinely fund its WMD and ballistic missile programs,” Treasury Deputy Secretary Michael Faulkender told CBS News in a statement, reaffirming the government’s goal of “using all available tools to disrupt the Kim regime’s efforts to circumvent sanctions through its digital asset theft, attempted impersonation of Americans, and malicious cyber-attacks.”
According to the Treasury, North Korean cyber operatives engaged in IT worker schemes routinely hide their locations and use proxy accounts, stolen identities and falsified or forged documentation to apply for jobs at employers in wealthier countries.
Applications and software developed by North Korean IT workers span popular industry sectors like business, health and fitness, social networking, sports, entertainment and lifestyle, according to the Treasury Department. The North Korean cyber operatives often take on projects involving virtual currency exchanges, enabling them to more easily launder money back to the regime, undetected.
In May, CBS Mornings profiled “Steven Smith,” a suspected member of North Korean leader Kim Jong Un’s cyber army. Smith was caught red-handed a by the cryptocurrency firm Kraken after a “do not hire” list circulated by law enforcement flagged him as a potential North Korean spy.
