The US Treasury Department’s Office of Foreign Assets Management (OFAC) approved members of North Korea’s hacking group on Tuesday. Andariel About their role in the infamous Remote Information Technology (IT) worker scheme.
The Treasury Department said Song Kum Heeok, a 38-year-old North Korean national with an address in Jiling Province, China, has enabled fraudulent operations by using foreign employed IT workers to seek remote employment with US companies and planning to split income with them.
Between 2022 and 2023, the song is said to have created aliases for hired workers using the identity of people in the United States, such as names, addresses, and Social Security numbers.
The development comes days after the US Department of Justice (DOJ) announced a sweeping measure targeting the North Korean Information Technology (IT) worker scheme, leading to the arrest of one individual and the seizure of 29 financial accounts, 21 fraudulent websites and nearly 200 computers.
Sanctions have also been imposed on Russian citizens and four entities involved in the Russian-based IT workers scheme, which North Koreans contracted and hosted to stop malicious operations. This is –
- Gayk Asatryan employs North Korean IT workers using Russia-based companies Asatryan LLC and Fortuna LLC
- South Korea’s Songkwan trade general organization. He signed a contract with Asatrian and sent up to 30 IT workers to work in Russia for Asatrian LLC.
- South Korea’s Saenal Trading Corporation has signed a contract with Asatryan and dispatched up to 50 IT workers to work in Russia for Fortuna LLC
Sanctions are only marked when threat actors linked to Andariel, a subcluster within the Lazarus group, are tied to IT worker schemes that have become important illegal revenue streams for the nation of sanctions orders. The Lazarus Group is credited with partnership with the Democratic Republic of Korea (DPRK) Reconnaissance General (RGB).
The action “emphasizes the importance of vigilance against DPRK’s continued efforts to secretly fund the WMD and ballistic missile program,” said Michael Foulkender, deputy secretary of the Treasury Department.
“The Treasury is still committed to using all the tools available to disrupt the Kim (Jong) administration’s efforts to avoid sanctions through digital property theft, impersonation of Americans and malicious cyberattacks.”
The IT Worker Scheme, also tracked as Nickel Tapestry, Wagemall, and UNC5267, includes using North Korean actors to acquire employment with US companies as remote IT workers with the goal of portraying complex skin-based pay using a mix of stolen fictional identities.
The insider threat is just one of many ways Pyongyang has adopted to generate revenue in the country. Data compiled by TRM Labs shows that North Korea is behind about $1.6 billion of the total $2.1 billion stolen as a result of 75 cryptocurrency hacks and exploits in the first half of 2025 alone.
While most of the measures taken to combat the threat have been ostensibly born from US authorities, DTEX principal I3 insider risk investigator Michael “Barni” Burnhart told Hacker News that other countries have stepped up and acted similarly, promoting awareness among a larger audience.
“This is a complex, cross-border issue with many moving parts, so international collaboration and open communication are extremely useful,” says Barnhart.
“As an example of the complexity with this issue, North Korean IT workers could be physically located in China, employing front companies posing as Singapore-based companies, contracting with European vendors serving US clients. That level of operational layering highlights the effective counter-struggle of joint research and intelligence sharing.”
“The good news is that awareness has increased significantly in recent years and we are now seeing the fruits of that labor. These initial recognition steps are part of a wider global change to recognize and actively disrupt these threats.”
Sanctions of the Sanctions Dovetail reportedly a group located in North Korea tracked as Kimsuky (aka APT-C-55) using a backdoor called Happydoor in an attack targeting South Korea’s presence. According to Anlab, Happydoor is being used back to 2021.
Malware, normally distributed via spear phishing email attacks, has steadily improved over the years, allowing you to collect sensitive information. Run commands, PowerShell code, and batch scripts. Upload the files you are interested in.
“Threat actors who are primarily responsible for teaching and academic disguises use social engineering techniques such as spear phishing to install backdoors with attachments and distribute attachments that may install additional malware.
