Treasury Sanctions North Korean Over IT Worker Malware Scheme

The U.S. Department of the Treasury has imposed sanctions on cyber actor Song Kum Hyok for his association with North Korea's hacking group Andariel, which is linked to the Reconnaissance General Bureau and considered a sub-cluster of the Lazarus group. The Andariel state actor is focused primarily on financially-motivated operations such as ransomware attacks and cryptocurrency heists.

Song Kum Hyok has been identified as a member of the Andariel hacking group, also known as APT45 and Silent Cholima. He has been providing fake or stolen U.S. identities to foreign IT workers seeking remote jobs at U.S. companies, with the workers splitting the income with Song, who then sent the funds to North Korea as part of the country's effort to finance its WMD (weapons of mass destruction) and ballistic missile programs.

The Treasury Department announced that Song facilitated an information technology (IT) worker scheme in which individuals, often DPRK nationals working from countries such as China and Russia, were recruited and provided with falsified identities and nationalities to obtain employment at unwitting companies to generate revenue for the DPRK regime. In some cases, these DPRK IT workers have been known to introduce malware into company networks for additional exploitation.

Between 2022 and 2023, Song Kum Hyok used stolen U.S. citizens' information (names, social security numbers, addresses) to create for his collaborators aliases that would get them hired by U.S. companies. The U.S. Treasury's Office of Foreign Assets Control (OFAC) lists another five parties as part of this sanctions regime.

The sanctions include a freeze on all assets under U.S. jurisdiction, a transaction ban for U.S. individuals and companies, and cuts off access to U.S.-based payment processing platforms. Furthermore, non-U.S. entities like foreign banks and platforms that continue to do business with the sanctioned entities risk being sanctioned themselves.

This action comes shortly after the U.S. Department of Justice announced sweeping action against North Korean IT worker schemes in the country. The Department's announcement was made on July 1, 2025, when U.S. authorities performed searches at 29 “laptop farms,” announcing one arrest, 12 indictments, and the seizure of 29 financial accounts, 21 websites, and 200 computers.

While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques. Drawing from Wiz's detections across thousands of organizations, this report reveals 8 key techniques used by cloud-fluent threat actors.

Key Details of the Sanctions Regime

• Frozen assets: All assets under U.S. jurisdiction are frozen, and transactions with these entities are banned.
• Transaction ban: U.S. individuals and companies are prohibited from doing business with sanctioned entities.
• Cuts off access to U.S.-based payment processing platforms: Sanctioned entities are blocked from using U.S.-based payment systems.
• Risk of sanctions for non-U.S. entities: Foreign banks and platforms that continue to do business with sanctioned entities risk being sanctioned themselves.

This action demonstrates the ongoing efforts by the U.S. government to disrupt North Korean IT worker schemes and prevent the country from generating revenue through illicit activities.