Hackers from North Korea find jobs in foreign IT companies. How it happens

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has added North Korean citizen Song Kum Hyok to its sanctions list. GetBlock AML Research explains why this individual has caught the attention of US authorities.

Andariel group

OFAC believes that Song Kum Hyok was responsible for creating and organizing the successful operation of the Andariel special group. The group consists of North Korean IT specialists who, disguised as citizens of other countries, infiltrated large companies and transferred the proceeds to the North Korean government. Members of the group used fake identities to disguise themselves.

Some of the Andariel group was physically located in China and Russia. OFAC imposed sanctions against one individual and four organizations from Russia that helped members of the group conduct illegal activities.

Russian trace

Russian citizen Gayk Asatryan and companies controlled by him (Asatryan LLC and Fortuna LLC) came under US sanctions for assisting the North Korean group Andariel. In total, Asatryan’s organizations hired more than 80 North Korean IT specialists who were brought to Russia.

Andariel’s targets

According to an OFAC investigation, the group of IT specialists is targeting primarily large technology organizations and blockchain companies. US authorities estimate that thousands of employees from North Korea may currently be embedded in large companies around the world. They use fake or stolen documents, VPNs, and proxy servers to hide their true origin.

The transfer of revenue to the North Korean government occurs using USDC and USDT stablecoins through a complex blockchain obfuscation scheme. Song Kum Hyok acted as a handler for the Andariel group and was responsible for creating fake identities as well as stealing the identities of US citizens.

Footprints on the blockchain

Restrictive measures against Song Kum Hyok and his group followed the discovery by US authorities of an Andariel cell that attempted to conceal $7,7 million in cryptocurrency transfers. They also identified members of the group who worked for large companies with fake documents in the names of Joshua Palmer and Alex Hong.

Using disposable addresses, cross-chain bridges, and centralized exchanges, cryptocurrency was transferred to high-ranking DPRK officials (Kim Sang Man and Sim Hyun Soo), who are already under US sanctions. The Andariel group uses the technological infrastructure of Russia and the UAE to carry out illegal activities.

Structure of transfers to Kim Sang Man and Sim Hyun Soo’s wallets.

Data: TRM Labs

The $7,7 million discovered by OFAC that North Korean fraudsters received from US employers was seized by law enforcement. The US Treasury Department has asked the Justice Department to turn over the seized funds for government use.

GetBlock AML Research has previously alerted readers to the danger of North Korean hackers posing as IT specialists. Hackers from North Korea disguised as qualified specialists got a job in the company of Pepe meme creator Matt Furie, gained access to smart contracts of several projects, and withdrew assets from them.