DOJ says US citizens helped North Korean IT workers infiltrate 136 companies The U.S. Department of Justice (DOJ) has moved to forfeit more than $15 million in USDT stolen by North Korean hackers and secured guilty pleas from five people who helped Pyongyang infiltrate American companies with fake IT workers. The DOJ filed two civil forfeiture complaints seeking to keep $15.1 million worth of Tether's USDT stablecoin that was stolen by North Korean hackers in 2023, the department announced Friday. The seized crypto was traced to Advanced Persistent Threat 38 (APT38), a North Korean military hacking group that carried out heists targeting four overseas virtual currency platforms in 2023. The FBI seized the funds in March 2025 and is now seeking court approval to forfeit the assets for return to the victims. The seized crypto comes from four incidents that the announcement does not specify, but clues indicate the agency may be referring to the over $100 million Nov. 2023 hack of exchange Poloniex, the $37 million hack of crypto firm CoinsPaid in July 2023, the $60 million hack (which the DOJ pegs at about $100 million) of payments processor Alphapo that same month, and an unspecified "November 2023 theft of approximately $138 million from a Panama-based virtual currency exchange." The DOJ has not publicly confirmed which incidents the forfeiture complaints cover. "Efforts to trace, seize, and forfeit related stolen virtual currency remain ongoing, as the APT38 actors continue to launder such funds through various virtual currency bridges, mixers, exchanges, and over-the-counter traders," the agency said in its statement. U.S. citizens helped North Korean IT workers On Friday, the DOJ also announced it had secured guilty pleas from four U.S. citizens and one Ukrainian national who admitted to helping North Korean IT workers fraudulently obtain employment at U.S. companies by providing stolen identities and hosting company laptops. Four U.S. citizens — Audricus Phagnasay, 24, Jason Salazar, 30, Alexander Paul Travis, 34, and Erick Ntekereze Prince, 38 — pleaded guilty to wire fraud conspiracy for providing their identities to North Korean workers and hosting company-issued laptops at their homes to make it appear the workers were based in the United States. Ukrainian national Oleksandr Didenko also pleaded guilty on Nov. 10 to wire fraud conspiracy and aggravated identity theft for stealing U.S. citizens' identities and selling them to North Korean IT workers. Didenko helped North Koreans gain employment at 40 U.S. companies and agreed to forfeit more than $1.4 million as part of his plea deal. The schemes affected more than 136 U.S. companies, generated more than $2.2 million in revenue for the North Korean regime, and compromised the identities of more than 18 U.S. citizens, the DOJ said. North Korea has increasingly relied on both cryptocurrency theft and remote IT worker schemes to generate revenue in violation of international sanctions. A 2022 advisory from the FBI, Treasury, and State Department warned that North Korean IT workers can earn up to $300,000 annually, collectively funneling hundreds of millions of dollars into programs run by the country's Ministry of Defense. North Korean hackers have stolen more than $2 billion in cryptocurrency so far in 2025 alone, making the regime one of the most prolific crypto theft operations globally, per an Elliptic analysis.
doj-says-us-citizens-helped-north-korean-it-workers-infiltrate-136-companies-the-u-s-department-of-justice-doj-has-moved-to-forfeit-more-than-15-million-in-usdt-stolen-by-north-korean-hackers-and

DOJ says US citizens helped North Korean IT workers infiltrate 136 companies

The U.S. Department of Justice (DOJ) has moved to forfeit more than $15 million in USDT stolen by North Korean hackers and secured guilty pleas from five people who helped Pyongyang infiltrate American companies with fake IT workers.

The DOJ filed two civil forfeiture complaints seeking to keep $15.1 million worth of Tether's USDT stablecoin that was stolen by North Korean hackers in 2023, the department announced Friday.

The seized crypto was traced to Advanced Persistent Threat 38 (APT38), a North Korean military hacking group that carried out heists targeting four overseas virtual currency platforms in 2023. The FBI seized the funds in March 2025 and is now seeking court approval to forfeit the assets for return to the victims.

The seized crypto comes from four incidents that the announcement does not specify, but clues indicate the agency may be referring to the over $100 million Nov. 2023 hack of exchange Poloniex, the $37 million hack of crypto firm CoinsPaid in July 2023, the $60 million hack (which the DOJ pegs at about $100 million) of payments processor Alphapo that same month, and an unspecified "November 2023 theft of approximately $138 million from a Panama-based virtual currency exchange." The DOJ has not publicly confirmed which incidents the forfeiture complaints cover.

"Efforts to trace, seize, and forfeit related stolen virtual currency remain ongoing, as the APT38 actors continue to launder such funds through various virtual currency bridges, mixers, exchanges, and over-the-counter traders," the agency said in its statement.

U.S. citizens helped North Korean IT workers

On Friday, the DOJ also announced it had secured guilty pleas from four U.S. citizens and one Ukrainian national who admitted to helping North Korean IT workers fraudulently obtain employment at U.S. companies by providing stolen identities and hosting company laptops.

Four U.S. citizens — Audricus Phagnasay, 24, Jason Salazar, 30, Alexander Paul Travis, 34, and Erick Ntekereze Prince, 38 — pleaded guilty to wire fraud conspiracy for providing their identities to North Korean workers and hosting company-issued laptops at their homes to make it appear the workers were based in the United States.

Ukrainian national Oleksandr Didenko also pleaded guilty on Nov. 10 to wire fraud conspiracy and aggravated identity theft for stealing U.S. citizens' identities and selling them to North Korean IT workers. Didenko helped North Koreans gain employment at 40 U.S. companies and agreed to forfeit more than $1.4 million as part of his plea deal.

The schemes affected more than 136 U.S. companies, generated more than $2.2 million in revenue for the North Korean regime, and compromised the identities of more than 18 U.S. citizens, the DOJ said.

North Korea has increasingly relied on both cryptocurrency theft and remote IT worker schemes to generate revenue in violation of international sanctions. A 2022 advisory from the FBI, Treasury, and State Department warned that North Korean IT workers can earn up to $300,000 annually, collectively funneling hundreds of millions of dollars into programs run by the country's Ministry of Defense.

North Korean hackers have stolen more than $2 billion in cryptocurrency so far in 2025 alone, making the regime one of the most prolific crypto theft operations globally, per an Elliptic analysis.