#

US Treasury Department Imposes Sanctions on Russians and North Koreans Involved in Illegal IT Worker Scheme

The US Department of the Treasury's Office of Foreign Assets Control (OFAC) has imposed sanctions on two individuals and four companies for their involvement in a scheme to provide US companies with illegal remote IT workers whose income would fund the Democratic People’s Republic of Korea (DPRK) regime.

The sanctions target Song Kum Hyok, described as a "malicious cyber actor" associated with the already sanctioned DPRK Reconnaissance General Bureau hacking group Andariel, and Russian national Gayk Asatryan. OFAC said that in 2022 and 2023, Song created aliases for foreign workers using the names, Social Security numbers, and addresses of US individuals, which the workers then used to pose as US applicants looking for remote jobs.

Asatryan was sanctioned for "having attempted to engage in, facilitate, or be responsible for the exportation of workers from North Korea, including exportation to generate revenue for the Government of North Korea or Workers’ Party of Korea," OFAC’s announcement said. He signed a 10-year contract with DPRK's Korea Songkwang Trading General Corp. to hire up to 30 DPRK IT workers to work in Russia for his company, Asatryan Limited Liability Co.

He also signed a contract with Korea Saenal Trading Corp., another DPRK company, to hire 50 DPRK IT workers for his company, Fortuna Limited Liability Co. OFAC said that Asatryan's two companies were sanctioned "for being owned or controlled by or acting or purporting to act for or on behalf of, directly or indirectly, Asatryan, a person whose property and interests in property are blocked."

Songkwang Trading and Saenal Trading were also designated "for being North Korean persons, including North Korean persons that have engaged in commercial activity that generates revenue for the Government of North Korea or Workers’ Party of Korea." The sanctions target these companies as well as Asatryan's two companies.

Significance of the Sanctions

"These sanctions against the DPRK-Russian fake IT worker pipeline are a significant step toward closing a long-standing gap in remote-work security," said Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group. "By adding these key brokers to the SDN [US Specially Designated Nationals and Blocked Persons] list, the government has instantly frozen any payments that might flow through Russian front companies or crypto rails to North Korean developers, thereby cutting off a revenue stream that Pyongyang has relied on."

"They also raise the bar for corporate due diligence, as the IT worker scheme worked primarily because many organizations hired remote contractors on little more than a resume and a US PayPal address," Jean-Louis noted. "A key risk to consider: If a US company unknowingly hires or pays a newly sanctioned contractor, the consequences can escalate quickly."

Ongoing Crackdown

The latest sanctions are part of the ongoing efforts by the US government to stop DPRK's illegal activities. Last month, the Justice Department's major sweep across 16 states seized laptops, financial accounts, and websites associated with the illegal remote IT worker scheme, and the FBI and Defense Criminal Investigative Service (DCIS) also took action.

The sanctions mean that any property in the US, or possessed or controlled by US persons, in which the sanctioned individuals hold interest are blocked, and must be reported to OFAC. Unless authorized, "OFAC's regulations generally prohibit all transactions by US persons or within (or transiting) the United States that involve any property or interests in property of blocked persons," OFAC said in the announcement.

Liability Boundaries

"These sanctions draw clear liability boundaries and nudge organizations towards stronger vetting without broad new regulations," Jean-Louis noted. "A key risk to consider: If a US company unknowingly hires or pays a newly sanctioned contractor, the consequences can escalate quickly."

OFAC violations are a strict liability, which means that intent does not matter, and civil fines can run up to significant amounts. Organizations can also face criminal penalties and loss of export privileges. Since OFAC is a US law with extraterritorial application, foreign organizations may do well to also consider potential exposure.