The U.S. Department of the Treasury has slapped new sanctions against a North Korean hacker who is also associated with the infamous Andariel group. Through the means of fake information technology employees, this person organized a huge conspiracy to break into companies in the United States to acquire sensitive information and transfer millions of dollars back to the armament division in North Korea. This is the most recent change in the manner in which governments are dealing with the increasing danger of North Korea’s cyber war.
The Andariel Group: North Korea’s Elite Cyber Warfare Unit
The Treasury Department marked Song Kum Hyok, a 38-year-old North Korean citizen, as one of the main participants in the Hacking group Andariel. This special cyberattack group is under the command of the Reconnaissance General Bureau (RGB) of North Korea, the main military intelligence apparatus behind the most advanced cyberattack in the country.
Andariel, a.k.a Onyx Sleet, is a special branch under the bigger umbrella of the notorious Lazarus Group. Whereas Lazarus has attracted celebrity due to large-scale incidents such as the 2014 Sony Pictures hack and 2017 WannaCry ransomware campaign, Andariel has been engaged in narrower campaigns against such sectors as the websites of Central banks and Oil and Gas companies, as well as their infrastructure.
Cybersecurity specialists said that Song was based in China’s Jilin province, which is strategically located adjacent to the North Korean border. The place not only offered proximity to the resources of the homeland but also the better internet infrastructure of the Chinese when sophisticated cyber-related operations are necessary.
How the North Korean Hacker Scheme Operated
In 2022-2023, Song conceived of a larger operation that U.S. officials refer to as “Nickel Tapestry” (which was also monitored under the names Wagemole or UNC5267), a tricky operation to hack American businesses. It was one of the major shifts in North Korean cyber-strategy itself, as the hacking has shifted to more advanced intrusion operations.
The scheme worked through several coordinated stages:
- Song and his team stole the identities of U.S. citizens, including names, addresses, and Social Security numbers
- These stolen identities were used to create convincing personas for North Korean IT workers
- The workers, posing as American freelancers, applied for remote positions at U.S. companies
- Once hired, they collected legitimate salaries while secretly installing backdoors and malware
- Funds were laundered through complex cryptocurrency transactions back to North Korea
The dual use of this operation was what made it very risky. It was not only a source of considerable income as the result of legitimate salaries, but it also provided access to sensitive systems and created the insider threat, as the data could be stolen and the network hacked without causing any alarm to the traditional security systems.
The Treasury Department revealed that Song collaborated with Russian national Gayk Asatryan, who signed a 10-year agreement with North Korean trading firms in 2024. Asatryan formed a network called the “Asatryan IT Worker Network,” hosting up to 30 North Korean IT specialists in Russia who then secured jobs in Western tech firms.
Targeting the Cryptocurrency Sector
While the IT worker scheme targeted various industries, cryptocurrency firms faced particularly severe consequences. A report by a blockchain analytics company, TRM Labs, revealed that in the first six months of 2025 alone, North Korean cryptocurrency hackers stole a staggering $1.6 billion from global crypto companies.
This represents over three-quarters of the total $2.1 billion stolen across 75 major crypto hacks during that timeframe. The most significant incident was the massive Bybit exchange breach, which resulted in approximately $1.5 billion in losses.
Cybersecurity analysts note that while direct exchange hacks remain a threat, the IT worker infiltration strategy has become increasingly preferred due to its lower visibility and high return on investment. Deploying operatives right in crypto companies accorded North Korean hackers privileged access to internal systems and, on most occasions, even without security mechanisms previously installed to curb external threats.
U.S. Sanctions and Their Implications
The Office of Foreign Assets Control (OFAC) of the U.S. Treasury Department sanctioned him on July 8, 2025.
The Office of Foreign Assets Control (OFAC) of the U.S Treasury sanctioned Song Kum Hyok on July 8, 2025, as part of its list of Specially Designated Nationals. The sanctions also targeted Gayk Asatryan and four Russian entities linked to the crypto cyber campaign.
These sanctions effectively cut off the designated individuals and entities from the U.S. financial system. Any assets they hold within U.S. jurisdiction are frozen, and American citizens and companies are prohibited from conducting business with them.
“Treasury remains committed to using all available tools to disrupt the Kim Jong Un regime’s efforts to circumvent sanctions through its digital asset theft, attempted impersonation of Americans, and malicious cyber attacks.”
Michael Faulkender, Deputy Secretary of the Treasury
The sanctions are part of a broader U.S. strategy to combat North Korean cyber threats. Just days before this announcement, the Department of Justice revealed sweeping actions targeting the North Korean IT worker scheme, including:
- The arrest of one individual connected to the operation
- Seizure of 29 financial accounts used to launder proceeds
- Takedown of 21 fraudulent websites used in the scheme
- Confiscation of nearly 200 computers linked to the operation
On June 30, four North Korean nationals were charged with wire fraud and money laundering after allegedly posing as remote workers at blockchain firms in the U.S. and Serbia. Earlier, on June 5, the Department of Justice moved to seize $7.74 million in frozen cryptocurrency tied to North Korean IT workers.
The IT workers of North Korea mostly work in Russia and China, and the money goes back to Pyongyang.
Ari Redbord, the global head of policy and government affairs of TRM Labs, pointed out that such activities indicate the increased conformity between North Korea and some of the jurisdictions, especially Russia and China. “One notable aspect of today’s designation is the explicit reference to North Korean IT workers operating out of China and Russia,” Redbord stated.
The FBI estimates that the entire moneymaking operation could be worth hundreds of millions of dollars annually, with funds being routed to the regime across Russia, China, and even through U.S.-based financial systems.
National Security Implications and Business Risks
North Korea’s cyber operations directly fund its weapons development programs, including nuclear and missile technology.
U.S. officials believe the ultimate goal of North Korea’s cyber hacking schemes is to support the country’s weapons development programs. Treasury Deputy Secretary Michael Faulkender stated that thousands of North Korean IT workers, mostly stationed in Russia and China, are actively targeting companies in wealthier nations.
The income generated from these operations, often obtained under fake identities, is funneled back to the regime to finance its arsenal and nuclear warheads. This creates a direct link between cybersecurity threats and national security concerns.
For businesses, the threat goes beyond financial losses. Companies that unknowingly hire North Korean operatives face multiple serious risks:
Immediate Business Risks
- Data theft and intellectual property loss
- Network compromise and backdoor installation
- Potential regulatory violations and sanctions
- Reputational damage from security breaches
Broader Security Implications
- Contribution to North Korean weapons programs
- Undermining of international sanctions
- Enabling future cyber attacks
- Potential access to critical infrastructure
The threat of these operatives is especially in the insider threat department since they gain authorised access to systems and networks. These people are not even like external attacks, which may cause security alerts, to detecting their malicious activities is much more difficult, as they work with authorized credentials.
Connection to Other North Korean Cyber Operations
The IT worker scheme represents just one facet of North Korea’s broader cyber strategy. Recent reports indicate that another North Korea-aligned group, Kimsuky (also known as APT-C-55), is using a sophisticated backdoor called HappyDoor in attacks targeting South Korean entities.
According to security firm AhnLab, HappyDoor has been deployed since at least 2021 and has seen steady improvements. The malware enables the attackers to gather sensitive data, execute commands, run PowerShell codes and batch files, and download files that are of interest.
Kimsuky normally poses as professors or academic establishments, where spear-phishing messages through emails with malevolent attachments transfer a backdoor. This indicates the variety in the tactics used by North Korean cyber actors when it comes to the variety of target sectors.
5 Essential Protection Strategies Against North Korean Hacker Threats
Since North Korean hackers have continued to advance their strategies, it is important that organizations take massive security measures in order to guard against the advanced threats. These are the five key strategies that businesses ought to take into account:
Enhanced Identity Verification
- Implement multi-factor identity verification for all new hires
- Conduct video interviews with all remote candidates
- Verify credentials through official channels, not just provided references
- Use identity verification services that check against government databases
- Consider biometric verification for sensitive positions
Zero-Trust Network Architecture
- Employ tight least-privilege access control
- Require continuous authentication for system access
- Segment networks to limit lateral movement
- Monitor all internal traffic for suspicious patterns
- Implement just-in-time access for sensitive systems
Insider Threat Detection
- Put into action User and Entity Behavior Analytics (UEBA) solutions
- Keep watch of aberrant data access or exfiltration patterns
- Monitor after-hours activity and unauthorized access intrusions
- With the help of data loss prevention (DLP) tools
- Organize security awareness training on a regular basis
Cryptocurrency Security
- Implement multi-signature requirements for transactions
- Use hardware wallets for cold storage of significant assets
- Monitor blockchain for transactions to sanctioned addresses
- Implement time locks for large transactions
- Partner with blockchain analytics firms to identify suspicious patterns
Supply Chain Security
- Conduct thorough vendor security assessments
- Implement code signing and verification
- Limit third-party access to critical systems
- Monitor all third-party connections and activities
- Establish clear security requirements in contracts
Michael Barnhart, Principal i3 Insider Risk Investigator at DTEX, notes that international collaboration is essential in combating these threats. “This is a complex, transnational issue with many moving parts, so international collaboration and open communication are extremely useful,” Barnhart explains.
“For an example of some of the complexities with this issue, a North Korean IT worker may be physically located in China, employed by a front company posing as a Singapore-based firm, contracted to a European vendor delivering services to clients in the United States. That level of operational layering highlights just how important joint investigations and intelligence sharing are in effectively countering this activity.”
Michael “Barni” Barnhart, Principal i3 Insider Risk Investigator at DTEX
The positive twist, according to Barnhart, is that consciousness has been increasing a great deal over the past few years. These are the first of many such awareness activities around the world, he observes.
The Evolving Threat of North Korean Hackers
The sanctions imposed on Song Kum Hyok and his associates symbolize a good movement in derailing the cyber activities of North Korea, but they also show the shifting of the threat. As the likelihood of hacking directly continues to decrease because of better security, North Korean actors have turned to more advanced methods of infiltration, which involve the use of human factors as well as insider access.
This change demands the same change in defense strategies. Organizations need to go beyond outer perimeter protection and adopt holistic strategies, which encompass identification probing, evaluation of insiders, as well as worldwide collaboration.
Due to the North Korean hackers’ insistent attacks on organizations around the world in order to finance weapons programs of the regime, it is necessary to be careful and take proactive security precautions. Organizations can minimize the risk of victimization through these advanced threats by learning their tricks and instituting powerful countermeasures.
Ahsan Ali is a technology blogger and the founder of Techzivo.com, a platform dedicated to delivering insightful and practical content for tech enthusiasts.He currently focuses on creating in-depth articles around cybersecurity, aiming to help readers stay safe and informed in the digital world. With a passion for emerging technologies, Ahsan plans to expand Techzivo’s coverage into other technology micro-niches such as AI, cloud computing, and digital privacy, offering valuable insights for a broader tech-savvy audience.