DOJ Seizes $15M in Crypto from APT38, Unveils Guilty Pleas in North Korean IT Worker Fraud Scheme
Ddos 
In a sweeping multinational enforcement action, the U.S. Department of Justice (DOJ) has announced five guilty pleas and more than $15 million in civil forfeiture actions tied to North Korea’s illicit remote IT-worker programs and large-scale cryptocurrency thefts. The schemes—run by the government of the Democratic People’s Republic of Korea (DPRK)—aim to directly fund the regime’s weapons programs in violation of U.S. and international sanctions.
Court documents reveal that U.S.-based and Ukrainian facilitators helped North Korean IT workers fraudulently obtain remote employment at over 136 U.S. companies, generating more than $2.2 million for the DPRK regime. Facilitators provided false or stolen identities, hosted employer-issued laptops, and even helped workers pass vetting processes.
According to the DOJ, the conspirators created the false appearance that the IT workers were working domestically, including by having U.S.-based accomplices undergo drug testing on behalf of North Korean workers.
The schemes also resulted in the compromised identities of more than 18 U.S. persons, deepening the collateral damage to U.S. civilians and businesses.
The DOJ also announced civil forfeiture actions targeting North Korean military hacking group APT38, responsible for a series of multimillion-dollar cryptocurrency attacks in 2023. APT38—publicly linked to the Lazarus Group—conducted heists at four overseas virtual currency platforms, stealing hundreds of millions of dollars.
The press release states that APT38 “carried out multimillion-dollar virtual currency heists at four overseas virtual currency platforms in 2023”, and that “the U.S. government froze and seized more than $15 million worth of virtual currency that it now seeks to forfeit for eventual return to the rightful owners.”
The thefts included:
- $37 million from an Estonia-based processor
- $100 million from a Panama-based payment processor
- $138 million from another Panama exchange
- $107 million from a Seychelles-based exchange
APT38 continues laundering funds through mixers, bridges, and OTC brokers, but investigators are actively tracing the stolen currency.
Audricus Phagnasay, Jason Salazar, and Alexander Paul Travis admitted to wire fraud conspiracy for providing their identities—or appearing for drug tests—to help foreign IT workers pass U.S. employment vetting. Their actions enabled over $1.28 million in fraudulent salary payments to DPRK-linked workers.
Ukrainian national Oleksandr Didenko pleaded guilty to wire fraud conspiracy and aggravated identity theft for selling stolen U.S. identities to overseas IT workers, including North Koreans. He agreed to forfeit more than $1.4 million, including fiat and cryptocurrency.
Erick Ntekereze Prince admitted to knowingly supplying North Korean IT workers to U.S. companies via his business, Taggcar Inc. Prince earned more than $89,000, while the broader scheme generated over $943,000 in fraudulent salary payments.
The DOJ filed two forfeiture complaints targeting over 15 million USDT, all seized from APT38 operators in March 2025. The seized funds represent a fraction of the group’s 2023 thefts but mark a significant blow to DPRK cyber-financing.
The FBI, Treasury, State Department, and ODNI have all issued advisories warning that North Korean IT workers can individually earn up to $300,000 annually, collectively generating hundreds of millions of dollars for DPRK military programs.
The U.S. State Department continues offering rewards of up to $5 million for information disrupting DPRK’s illicit cyber and financial activity.
Related Posts:
- North Korean Operatives Use GenAI to Infiltrate Global Tech Jobs, Okta Warns
- DOJ Files Record $15 Billion Bitcoin Seizure Against Prince Group Chairman Over Pig Butchering Scams
- DPRK IT Workers: A Global Threat Expanding in Scope and Scale
- DOJ Dismantles North Korean IT Job Scam: Stolen Identities & Laundering Funded DPRK Weapons
- DOJ Dismantles North Korean IT Job Scam: Stolen Identities & Laundering Funded DPRK Weapons
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
