BTCC / BTCC Square / coincentral /
Exposed: How North Korean Operatives Infiltrated Global Crypto Firms Through Secret Networks

Exposed: How North Korean Operatives Infiltrated Global Crypto Firms Through Secret Networks

Published:
2025-07-09 08:55:54
9
2

The Secret Network Placing North Korean Workers Inside Crypto Firms

Behind the anonymized wallets and decentralized fronts, a shadow workforce slips past compliance checks.


The Lazarus loophole

Sanctions? Blockchain doesn’t care. Remote dev teams hiring ‘Eastern European talent’? Might want to check those IP addresses again. Pyongyang’s IT sweatshops have been outsourcing coders—and siphoning funds—for years.


Crypto’s compliance theater

Exchanges tout KYC like a badge of honor while turning blind eyes to obfuscated payrolls. (Funny how due diligence weakens when dev talent’s 80% cheaper.) One blockchain analytics firm traced $200M in suspect stablecoin flows to cloud-hosting invoices.


The new cyber-mercenaries

These aren’t your grandfather’s counterfeiting operations. Today’s DPRK operatives write Solidity contracts, pen Medium posts, even attend virtual meetups—all while funneling salaries back to missile programs.

Another Tuesday in web3, where the only thing more decentralized than the tech is the moral responsibility.

TLDR

  • US Treasury sanctioned North Korean Song Kum Hyok and Russian Gayk Asatryan for running IT worker schemes targeting crypto companies
  • North Korea deploys thousands of skilled IT workers worldwide to generate revenue for ballistic missile programs
  • TRM Labs reports North Korea shifting from direct hacks to deception-based revenue through IT worker infiltration
  • North Korean hackers stole $1.6 billion of $2.1 billion total crypto thefts in first half of 2025
  • US authorities have charged multiple North Korean nationals and are seizing millions in crypto earned through fake identities

The US Treasury Department has imposed sanctions on two individuals and four entities connected to a North Korean scheme that places IT workers inside cryptocurrency companies. The action represents the latest effort to combat North Korea’s expanding digital infiltration operations.

The Treasury’s Office of Foreign Assets Control sanctioned Song Kum Hyok, a North Korean national accused of stealing US citizens’ information to create false identities. These stolen identities were then used by foreign IT workers seeking employment at American companies.

Today, the Treasury's Office of Foreign Assets Control is taking action to stop individuals and entities that are enabling the Democratic People's Republic of Korea (DPRK) IT worker schemes.

The DPRK generates significant revenue for its WMD and ballistic missile programs by…

— Treasury Department (@USTreasury) July 8, 2025

Russian national Gayk Asatryan also received sanctions for allegedly employing dozens of North Korean IT workers through his companies. The Treasury said Asatryan signed long-term agreements with North Korean trading firms starting in 2024 to facilitate these placements.

The sanctions freeze all US assets connected to the sanctioned individuals and entities. US persons are now prohibited from conducting financial transactions or business dealings with them under threat of civil and criminal penalties.

Revenue Generation for Weapons Programs

North Korea operates a workforce of thousands of highly skilled IT workers deployed globally to generate revenue for its ballistic missile programs. The majority of these workers are located in China and Russia, according to Treasury officials.

The workforce primarily targets employers in wealthier countries using various networking platforms. These operations have expanded worldwide, with Google reporting in April that the infrastructure for such schemes has spread internationally.

Treasury Deputy Secretary Michael Faulkender said the department remains committed to disrupting North Korea’s efforts to circumvent sanctions through digital asset theft and malicious cyber attacks. The sanctions demonstrate the US government’s focus on targeting the operational networks behind these schemes.

Shift in North Korean Tactics

Blockchain intelligence firm TRM Labs reported that North Korea is shifting away from direct hacking operations toward deception-based revenue generation. While exchange breaches remain a threat, North Korean operations increasingly focus on IT worker infiltration.

🚨 This afternoon the @USTreasury sanctioned a key North Korean cyber actor for running an IT worker scheme using fake US IDs to funnel funds to the DPRK. For more check out our blogpost here: https://t.co/MJ5a0jaoDL pic.twitter.com/i7fbe9STp5

— TRM Labs (@trmlabs) July 8, 2025

The country has been responsible for some of the largest cryptocurrency thefts in history through groups like Lazarus Group. TRM Labs estimates North Korean actors stole $1.6 billion of the $2.1 billion taken across 75 crypto hacks in the first half of 2025.

The embedded IT workers serve as pathways to both revenue generation and eventual intrusion activity in the crypto space. This approach allows North Korea to maintain ongoing access to target companies while generating legitimate income streams.

US authorities have intensified enforcement actions against North Korean IT worker schemes throughout 2025. On June 30, four North Korean nationals faced wire fraud and money laundering charges after posing as remote workers at US and Serbian blockchain companies. The Department of Justice is also seeking to seize $7.74 million in frozen cryptocurrency allegedly earned by North Korean IT workers using fake identities at blockchain firms.

|Square

Get the BTCC app to start your crypto journey

Get started today Scan to join our 100M+ users