The Justice Department has announced major developments in its ongoing efforts to disrupt illicit financing operations linked to North Korea. Five defendants have pleaded guilty in a wide-ranging scheme involving identity fraud, remote IT employment, and large-scale virtual currency theft.
The department has also initiated civil forfeiture actions totaling more than $15 million. These actions target financial networks supporting the DPRK government’s weapons program. The case highlights growing concerns surrounding virtual currency heists, identity theft, and the exploitation of U.S. companies through fraudulent remote employment schemes.
North Korean IT Employment Schemes Exposed
According to court documents, U.S. and Ukrainian facilitators helped North Korean IT workers obtain remote jobs with American companies. By providing stolen or falsified identities, hosting employer-issued laptops in the United States, and installing remote-access tools, the defendants created the false impression that the workers were operating domestically.
Investigators say the scheme affected more than 136 U.S. companies, generated over $2.2 million in revenue for the DPRK regime, and compromised the identities of at least 18 American citizens. These tactics align with methods highlighted in federal advisories regarding identity misuse, proxy networks, and false documentation used by foreign threat actors—including those involved in virtual currency theft and broader revenue-generation operations.
$15 Million in Virtual Currency Seized
In a parallel action, two civil forfeiture complaints detail how the North Korean hacking group APT38 targeted four overseas virtual currency platforms in 2023. These virtual currency heists resulted in hundreds of millions of dollars being stolen from payment processors and exchanges in Estonia, Panama, and Seychelles.
While DPRK-linked actors attempted to launder the stolen funds through mixers, bridges, and over-the-counter traders, U.S. authorities successfully froze and seized more than $15 million worth of USDT stablecoins. Federal officials intend to forfeit the assets so they can eventually be returned to victims.
Virtual Currency Theft: Three Guilty Pleas in Georgia
In the Southern District of Georgia, U.S. nationals Audricus Phagnasay, Jason Salazar, and Alexander Paul Travis pleaded guilty to wire fraud conspiracy. From 2019 to 2022, the trio knowingly supplied their personal identities to overseas IT workers and assisted them in bypassing employer screening procedures.
Travis, who served in the U.S. Army during the scheme, received over $51,000 for his involvement. Prosecutors emphasized that the fraudulent operation resulted in more than $1.28 million in salaries being paid out by victim companies, with most of the funds transferred to workers operating outside the United States.
Ukrainian Identity Broker Admits Role
On Nov. 10, Ukrainian national Oleksandr Didenko pleaded guilty in the District of Columbia to wire fraud conspiracy and aggravated identity theft. Didenko sold stolen identities to foreign IT workers— including those linked to North Korea—helping them secure jobs at more than 40 U.S. companies. He agreed to forfeit more than $1.4 million in fiat and digital currency.
Florida Defendant Pleads Guilty in Related Case
In the Southern District of Florida, U.S. citizen Erick Ntekereze Prince admitted to wire fraud conspiracy connected to fraudulent staffing operations. Prince supplied U.S. companies with remote IT workers who were, in fact, based overseas and using stolen identities. His participation earned him more than $89,000. Two co-defendants remain pending trial or extradition.
Senior DOJ and FBI officials said the coordinated actions reflect a comprehensive federal strategy to counter North Korea’s illicit revenue-generation networks. They warned that DPRK-linked cyber operations—including identity fraud and virtual currency theft, remain a persistent threat to national and economic security.
Authorities urged U.S. companies to strengthen vetting processes for remote workers and remain alert to identity anomalies, unauthorized access tools, and other indicators of foreign fraud.
