On July 8, 2025, the US Department of the Treasury's Office of Foreign Assets Control (“OFAC”) announced a new round of sanctions targeting individuals and entities involved in a cyber-enabled scheme to generate revenue for the Democratic People's Republic of Korea (“DPRK”). The action focuses on the use of falsified identities and remote IT work to circumvent US sanctions programs and fund the DPRK regime's weapons programs. The sanctions were imposed under Executive Orders (“E.O.”) 13722, 13694 (as amended), and 13810 and designate key facilitators and front companies for orchestrating the use of stolen US identities to place DPRK nationals in remote jobs with US companies. These workers, often based in China and Russia, have been linked to malware intrusions and virtual currency laundering operations.
We previously discussed efforts in the EU and US to expand sanctions against the DPRK on June 8, 2016. At the time, OFAC had just designated North Korea as a jurisdiction of “primary money laundering concern,” citing its use of state-controlled financial institutions and front companies to finance the proliferation of weapons of mass destruction and ballistic missile programs. Since that action, the US has steadily expanded its sanctions enforcement targeting the DPRK's cyber and financial networks. Notable developments include the designation of the Lazarus Group in September 2019, a state-sponsored hacking group responsible for high-profile cyberattacks and virtual currency thefts, and the May 2023 sanctions targeting additional cyber organizations, including the Technical Reconnaissance Bureau, used to steal funds in support of the regime's unlawful weapons of mass destruction and ballistic missile programs. These measures reflect a growing focus on disrupting the DPRK's use of cyber-enabled schemes and overseas labor to finance its weapons programs.
Targeted Entities and Individuals
OFAC's latest action targets the following individuals and entities engaged in the cyber-enabled scheme to generate revenue for the DPRK:
- Song Kum Hyok, a DPRK-based cyber operative affiliated with the Andariel hacking group (a subgroup of the previously designated Lazarus Group), was sanctioned pursuant to E.O. 13694 (as amended by E.O. 14306), for misappropriating US personal identifiers (i.e., names, SSNs, and home/business addresses) to create false identities for DPRK IT workers. These workers then used the stolen identities to pose as US nationals and secure remote employment with US companies, generating revenue for the DPRK regime and, in some cases, introducing malware into corporate networks.
- Gayk Asatryan, a Russian national, was designated under E.O. 13722 for facilitating the export of DPRK labor through long-term contracts with DPRK state-owned entities. His companies, Asatryan LLC and Fortuna LLC, were also designated under E.O. 13722 for being owned or controlled by Asatryan.
- DPRK entities Songkwang Trading and Saenal Trading were also designated pursuant to E.O. 13810 for engaging in commercial activities that generate revenue for the Government of North Korea or the Workers' Party of Korea, including the overseas deployment of IT workers.
Geopolitical Context
This latest sanctions action builds on a broader US and multilateral strategy to counter the DPRK regime's use of cyber-enabled means to evade sanctions and finance its weapons programs. The DPRK operates a global network of thousands of skilled IT workers who use false identities, forged documents, and stolen personal data to secure remote employment with foreign companies, particularly in the US and other high-income countries. These workers often operate through freelance platforms and social media, developing software and applications across sectors such as finance, healthcare, and entertainment. In addition to generating revenue for the regime, many of these workers engage in virtual currency transactions to launder and remit funds back to the DPRK. In some cases, they have introduced malware into corporate systems, enabling further exploitation and theft of sensitive data.
OFAC Designation Implications
As a result of OFAC's designations, all property and interests in property of the targeted individuals and entities that are in the United States or in the possession or control of US persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked. All transactions by US persons or within (or transiting) the United States that involve any property or interests in property of designated or blocked persons are prohibited unless authorized by a general or specific license issued by OFAC or exempt. These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
