The U.S. Department of the Treasury has sanctioned a North Korean hacker accused of orchestrating a complex global scheme that placed covert operatives into remote IT jobs at American companies, diverting significant funds to support North Korea’s weapons of mass destruction and ballistic missile programs.
Song Kum Hyok, a member of the state-sponsored hacking group Andariel (also known as APT45), was designated by the Treasury’s Office of Foreign Assets Control (OFAC) for his central role in recruiting and deploying DPRK IT workers. These individuals, often operating from countries like Russia and China, used falsified U.S. identities—including stolen names, Social Security numbers, and addresses—to secure high-paying tech roles at U.S.-based firms.
Between 2022 and 2023, Song orchestrated efforts to create aliases and digital personas for North Korean operatives, enabling them to infiltrate the American job market undetected. Some of these workers also introduced malware into the networks of U.S. employers, further endangering national cybersecurity.
The money generated through these jobs was laundered and funneled back to North Korea, aiding its sanctioned military programs. Many of the targeted job roles were within cryptocurrency and digital infrastructure sectors—industries that are often less regulated and easier to exploit.
OFAC’s action, taken under Executive Order 13722, freezes any assets Song might hold in the U.S. and prohibits American entities from doing business with him. It also marks the latest U.S. effort to disrupt North Korea’s growing reliance on cyber-enabled financing strategies.
Federal law enforcement recently intensified its response, conducting operations across 16 states. Investigators seized financial accounts and domain names tied to the scheme, and uncovered so-called “laptop farms”—locations where company-issued devices were stored and accessed by North Korean workers posing as U.S. personnel.
The U.S. government has been warning about such activity since at least 2022, when the FBI issued an advisory. Since then, DPRK operatives have expanded their job-seeking efforts to nations including Germany, Portugal, and the United Kingdom.
In one alarming case from early 2024, authorities discovered a single North Korean operative using 12 separate stolen identities to apply for positions with American defense contractors.
Andariel, Song’s affiliated group, is known for high-profile cyberattacks, including a breach of South Korean VPN software that allowed them to install malware and steal sensitive data. The group’s actions reflect North Korea’s strategic shift toward exploiting remote work trends and global talent demands to sustain its isolated economy and weapons development goals.
This revelation has prompted renewed calls for American firms to strengthen identity verification for remote hires, particularly in sensitive sectors like finance, software development, and defense. National security experts warn that the increasing sophistication of state-sponsored employment fraud could create long-term vulnerabilities for both public and private sector institutions.
The Biden administration has vowed to expand cooperation with international allies to track and disrupt similar schemes, while urging companies to report any suspicious behavior or identity irregularities during the hiring process.
As North Korea continues to use cyber means to evade international sanctions and generate hard currency, the U.S. response is expected to escalate, combining targeted sanctions with broader cybersecurity reforms and international coordination.