U.S. Sanctions North Korean Cyber Operative Linked to Kim Jong Un’s Military Intelligence Agency
The U.S. Treasury Department has imposed sanctions on a North Korean cyber operative, identified as Song Kum Hyok, who is associated with the Reconnaissance General Bureau, a key unit within Kim Jong Un’s military intelligence apparatus. The move highlights ongoing efforts by the U.S. government to counter North Korea’s cyber activities that support its nuclear and missile programs.
According to the Treasury, Song Kum Hyok played a central role in orchestrating a scheme involving IT workers from North Korea. These operatives were recruited to pose as American remote workers, targeting companies globally. The operation allowed North Koreans working in China and Russia to receive paychecks, which were then used to fund Kim Jong Un’s weapons of mass destruction and ballistic missile initiatives.
In 2022, the scheme expanded to include the theft of personal information from U.S. citizens, such as names, Social Security numbers, and addresses. This data was used to create fake identities for North Korean workers, who were then hired under the guise of American job applicants. The stolen information was exploited to generate income, with profits shared between the operatives and their recruiters.
North Korea has long deployed IT workers to fraudulently seek employment at top-tier companies around the world. This strategy allows North Korean cyber operatives to earn substantial salaries, which are eventually funneled back to the regime. According to FBI officials, this moneymaking operation is worth hundreds of millions of dollars annually.
Treasury officials have emphasized that North Korea’s IT worker program involves “thousands of highly skilled workers” primarily based in China and Russia. These individuals contribute significant funds to Kim Jong Un’s weapons development efforts, including his nuclear and ballistic missile programs.
In addition to sanctioning Song Kum Hyok, the Treasury Department has targeted four entities involved in a Russia-based IT worker scheme. These entities were found to be facilitating financial flows to North Korea. One of the sanctioned groups is the “Asatryan IT Worker Network,” led by Gayk Asatryan. The network’s founder reportedly signed a 10-year contract with the North Korean regime in 2024, agreeing to send up to 30 North Korean IT workers to work in Russia for his company.
The U.S. actions are part of a broader effort to disrupt North Korea’s cyber espionage activities and its attempts to impersonate American workers. These measures align with a 2016 United Nations Security Council Resolution aimed at curbing the country’s unlawful weapons development.
Treasury Deputy Secretary Michael Faulkender stated that today’s actions underscore the importance of vigilance against North Korea’s continued efforts to secretly fund its weapons programs. He reiterated the government’s commitment to using all available tools to counter the regime’s digital asset theft, attempts to impersonate Americans, and malicious cyber-attacks.
North Korean cyber operatives involved in these schemes often hide their locations and use proxy accounts, stolen identities, and falsified documents to apply for jobs in wealthier countries. Their work spans various industries, including business, health and fitness, social networking, sports, entertainment, and lifestyle. Many of these projects involve virtual currency exchanges, enabling the operatives to launder money back to the regime without detection.
In May, CBS Mornings featured “Steven Smith,” a suspected member of North Korea’s cyber army. Smith was caught by the cryptocurrency firm Kraken after being flagged as a potential North Korean spy through a “do not hire” list circulated by law enforcement.
These developments highlight the growing threat posed by North Korea’s cyber operations and the U.S. government’s determination to combat them through sanctions, international cooperation, and increased scrutiny of digital activities.
