The United States has imposed sanctions on a North Korean hacker from the Andariel group, who organized a scheme to fictitiously employ IT specialists in Western companies in order to transfer income to the DPRK regime via cryptocurrencies.
According to the US Treasury Department, 38-year-old Song Kum-hyeok, a resident of Jilin Province (China), used stolen American identities (names, addresses, SSNs) to disguise North Korean IT specialists as US citizens. These specialists received remote work in American companies, and earnings through cryptocurrency chains were used to finance cyber operations and Pyongyang’s weapons program.
As part of the investigation, 29 crypto accounts, 21 phishing sites and almost 200 computers were seized. Sanctions were also imposed on Russian citizen Hayk Asatryan and the companies Asatryan LLC and Fortuna LLC, which helped to employ North Korean specialists in the Russian Federation, and on two related Korean companies. This is the first time that the Andariel group (APT45) has been officially linked to such a scheme – it was previously considered a subgroup of Lazarus.
The Andariel group is part of the North Korean intelligence agency, closely linked to the activities of Lazarus. According to DTEX analyst Michael Barnhart, the scheme with IT workers is not new, but its scale is impressive: a remote employee can be physically located in China, be hired by a firm from Singapore, work for a contractor in the EU that serves customers in the US.
