The U.S. has been working to crack down on what it warns is a wide-scale, concerted effort by North Korea to dupe American firms into hiring its IT workers to fund Pyongyang’s government and defense programs.
The FBI and the U.S. Justice Department have long warned that this kind of fraud could involve thousands of North Korean workers farming millions of dollars for weapons and missile programs. “For years, North Korea has exploited global remote IT contracting and cryptocurrency ecosystems to evade U.S. sanctions and bankroll its weapons programs,” stated Sue J. Bai, Head of the Justice Department’s National Security Division.
In June, the Justice Department filed a civil forfeiture complaint freezing over $7.74 million in crypto and assets tied to the IT-worker scheme—centered on Sim Hyon‑Sop and a network of DPRK IT contractors. The June indictments revealed more than 100 U.S. companies unknowingly employed North Korean IT operatives from 2021–2024, funneling salaries into the DPRK’s weapons programs.
U.S. citizens in the U.S. and abroad allegedly helped set up shell companies and “laptop farms.”
State Department sanctions
On July 8, 2025, the U.S. State Department announced a new round of sanctions on North Korea and Russia-based cyber actors. Full text follows:
Sanctioning Malicious North Korean Cyber Actors
“The United States is imposing sanctions on Song Kum Hyok, a North Korean cyber actor associated with the U.S.-designated North Korea hacking group Andariel. Song was involved in in malicious cyber-enabled activities, which included an illicit information technology (IT) worker scheme. He is also linked to an attempted hack of the U.S. Department of the Treasury. We are also imposing sanctions on Russia-based facilitator Gayk Asatryan and four entities – two Russian and two North Korean – all involved in deploying IT workers internationally to generate revenue for the North Korean government.
The Democratic People’s Republic of Korea deploys IT workers who obfuscate their identities, often through identity theft of U.S. persons, to fraudulently obtain employment at unwitting foreign firms. The North Korea regime uses revenue generated by these workers to support its unlawful weapons of mass destruction and ballistic missile programs.
Today’s sanctions are part of the U.S. government’s efforts to combat North Korean cyber espionage and revenue generation. We will continue to take action against malicious cyber actors who attempt to undermine U.S. national security or the U.S. financial sector.
The U.S. Department of State’s Rewards for Justice program (RFJ) is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act. RFJ is also offering a reward of up to $5 million for information leading to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea, including the exportation of its workers to generate revenue.
The Department of the Treasury’s actions were taken pursuant to Executive Order (E.O.) 13694, as amended; E.O. 13722; and E.O. 13810. For more information, see the State Department’s RFJ website, and the Cybersecurity and Infrastructure Security Agency cybersecurity advisory.”
