Justice Department Announces Nationwide Actions to Combat Illicit North Korean Government Revenue Generation

Four U.S. Nationals and Ukrainian Identity Broker Plead Guilty

Department Seeks Forfeiture of More Than $15M in Virtual Currency Stolen and Laundered by North Korean Hackers

The Justice Department today announced five guilty pleas and more than $15 million in civil forfeiture actions against the Democratic People's Republic of Korea (DPRK) remote information technology (IT) work and virtual currency heist schemes. The DPRK government uses both types of schemes to fund its weapons and other priorities in violation of sanctions.

First, as described in court documents associated with the guilty pleas, facilitators in the United States and Ukraine assisted North Korean actors with obtaining remote IT employment with U.S. companies. For example, the facilitators' provided their own, false, or stolen identities, and hosted U.S. victim company-provided laptops at residences across the United States to create the false appearance that the IT workers were working domestically. In total, these defendants' fraudulent employment schemes impacted more than 136 U.S. victim companies, generated more than $2.2 million in revenue for the DPRK regime, and compromised the identities of more than 18 U.S. persons.

Second, as described in the two civil forfeiture complaints, a North Korean military hacking group known to the private sector as Advanced Persistent Threat 38 (APT38) carried out multimillion-dollar virtual currency heists at four overseas virtual currency platforms in 2023. While APT38 actors continued to launder their ill-gotten gains for these heists, the U.S. government froze and seized more than $15 million worth of virtual currency that it now seeks to forfeit for eventual return to the rightful owners.

"These actions demonstrate the Department's comprehensive approach to disrupting North Korean efforts to finance their weapons program on the backs of Americans," said Assistant Attorney General for National Security John A. Eisenberg. "The Department will use every available tool to protect our Nation from this regime's depredations."

"Ensuring national and economic security are paramount to the Department's mission," said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department's Criminal Division. "Hostile nation-states raising funds for illicit programs by stealing from digital asset exchanges threatens both. The Criminal Division is steadfast in its determination to forfeit ill-gotten gains from bad actors and return funds to victims."

"FBI investigations continue to expose the North Korean government's relentless campaign to evade U.S. sanctions and generate millions of dollars to fund its authoritarian regime and weapons programs," said Assistant Director Roman Rozhavsky of the FBI's Counterintelligence Division. "These guilty pleas send a clear message: No matter who or where you are, if you support North Korea's efforts to victimize U.S. businesses and citizens, the FBI will find you and bring you to justice. We ask all our private sector partners to improve their security process for vetting remote workers and to remain vigilant regarding this emerging threat."

The Department's actions to combat both the North Korean IT worker and hacking schemes are the latest in a series of law enforcement actions under a joint National Security Division (NSD) and FBI Cyber and Counterintelligence Divisions effort, the DPRK RevGen: Domestic Enabler Initiative. This effort prioritizes targeting and disrupting the DPRK's illicit revenue generation schemes and its U.S.-based enablers. The Department previously announced other actions pursuant to the initiative, including in January and June 2025.

As the FBI has described in Public Service Announcements published in May 2024 and January 2025, North Korean remote IT workers posing as legitimate remote IT workers have committed data extortion and exfiltrated the proprietary and sensitive data from U.S. companies. DPRK IT worker schemes typically involve the use of stolen identities, alias emails, social media, online cross-border payment platforms, and online job site accounts, as well as false websites, proxy computers, and witting and unwitting third parties located in the U.S. and elsewhere.

Three Guilty Pleas - Southern District of Georgia

Yesterday, in the U.S. District Court for the Southern District of Georgia, U.S. nationals Audricus Phagnasay, 24, Jason Salazar, 30, and Alexander Paul Travis, 34, each pleaded guilty to one count of wire fraud conspiracy. From approximately September 2019 through November 2022, Phagnasay, Salazar, and Travis provided their U.S. identities to IT workers they knew were located outside the United States so that the workers could fraudulently apply for and obtain employment with victim U.S. companies. In addition, the three defendants hosted victim U.S. company-provided laptops at their residences, and installed remote access software on those laptops without authorization, so that the IT workers could create the false appearance that they were remote working from the defendants' residences. Each defendant also assisted overseas IT workers in passing employer vetting procedures. Travis and Salazar, in particular, appeared for drug testing on behalf of the overseas IT workers.

"My office is committed to pursuing individuals that seek to harm the United States," said U.S. Attorney Margaret E. Heap for the Southern District of Georgia. "This collaboration with our law enforcement agencies exemplifies how our joint efforts are successful in identifying, investigating and prosecuting those defendants."

Travis, an active-duty member of the U.S. Army at the time, received at least $51,397 for his participation in the scheme. Phagnasay and Salazar earned at least $3,450 and $4,500, respectively. The fraudulent scheme earned approximately $1.28 million in salary payments from the victim U.S. companies, the vast majority of which were sent to the IT workers overseas.

The FBI Augusta (Georgia) Resident Agency is investigating the cases.

Assistant U.S. Attorney Alexander Hamner for the Southern District of Georgia and Trial Attorney Jacques Singer-Emery of the NSD National Security Cyber Section are prosecuting the cases.

Oleksandr Didenko Guilty Plea - District of Columbia

On Nov. 10, in the U.S. District Court for the District of Columbia, Ukrainian national Oleksandr Didenko pleaded guilty to one count of wire fraud conspiracy and one count of aggravated identity theft in connection with a years-long scheme that stole the identities of U.S. citizens and sold them to overseas IT workers, including North Korean IT workers, so they could fraudulently gain employment at 40 U.S. companies. Victim U.S. companies paid Didenko's IT worker clients hundreds of thousands of dollars for their work. As part of his plea, Didenko agreed to forfeit more than $1.4 million, which includes more than $570,000 in fiat and virtual currency seized from Didenko and his co-conspirators.

"North Korea is focused on victimizing and perpetrating fraud on American citizens, companies, and banks by stealing the identity of U.S. citizens and selling them around the world so foreign actors can gain employment in America," said U.S. Attorney Jeanine Ferris Pirro for the District of Columbia. "These convictions prove that we will stop at nothing to uncover complex fraud schemes especially when they are committed by North Korean actors to fund their weapons program."

The case was investigated by the FBI New York Field Office, with assistance from the FBI Norfolk and San Diego Field Offices and the Jefferson City (Tennessee) Resident Agency. In May 2024, Polish authorities arrested Didenko and on Dec. 10, 2024, he was extradited to the United States.

Assistant U.S. Attorneys Karen P. Seifert and Steven Wasserman for the District of Columbia are prosecuting the case, with valuable assistance from Trial Attorney Jacques Singer-Emery of the NSD National Security Cyber Section. The U.S. Attorneys' Offices for the Southern District of California, Eastern District of Tennessee, and Eastern District of Virginia, and the Justice Department's Office of International Affairs provided significant assistance.

Erick Ntekereze Prince Guilty Plea - Southern District of Florida

On Nov. 6, in the U.S. District Court for the Southern District of Florida, U.S. national Erick Ntekereze Prince, 30, pleaded guilty to one count of wire fraud conspiracy. From approximately June 2020 through August 2024, Prince, through his company Taggcar Inc., contracted to supply allegedly "certified" IT workers to victim U.S. companies, knowing that the IT workers were located outside the United States and were using false and stolen identities to gain employment. In addition, Prince hosted victim U.S. company-provided laptops at Florida residences and installed remote access software on those laptops without authorization, so that the IT workers could create the false appearance that they were remote working from Prince's residence. Prince earned more than $89,000 for his participation in the scheme.

"These prosecutions make one point clear: the United States will not permit the DPRK to bankroll its weapons programs by preying on American companies and workers," said U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida. "We will keep working with our partners across the Justice Department to uncover these schemes, recover stolen funds, and pursue every individual who enables North Korea's operations."

Prince, U.S. national Emanuel Ashtor, and a Mexican national Pedro Ernesto Alonso de los Reyes were charged in January 2025 by indictment alleging their participation in a criminal scheme that obtained work for North Korean IT workers from more than 64 U.S. companies. The fraudulent scheme earned more than $943,069 in salary payments from victim U.S. companies, the vast majority of which were sent to the IT workers overseas. Ashtor is awaiting trial, and de los Reyes is in custody in The Netherlands awaiting extradition.

The case was investigated by the FBI Miami Field Office.

Assistant U.S. Attorney Sean Cronin for the Southern District of Florida and Trial Attorney Gregory J. Nicosia Jr. of NSD's National Security Cyber Section are prosecuting the case.

Forfeiture Complaints for More Than $15 Million in Stolen Funds - District of Columbia

The Department recently filed two civil complaints to forfeit USDT, a virtual currency stablecoin pegged to the U.S. dollar, that the FBI seized in March 2025 from North Korean APT38 actors: an Oct. 24, 2025 complaint (1:25-cv-03771) to forfeit 1,159,834.52 USDT; and a complaint filed today (1:25-cv-03943) to forfeit 13,980,951.103 USDT. In total, the seized USDT is valued at more than $15 million.

As alleged in the complaints, the seized virtual currency relates to North Korean APT38 actors' efforts to raise revenue for the DPRK government through four heists from virtual currency providers: (1) a July 2023 theft of approximately $37 million in virtual currency from an Estonia-based virtual currency payments processor; (2) a July 2023 theft of approximately $100 million from a Panama-based virtual currency payment processor; (3) a November 2023 theft of approximately $138 million from a Panama-based virtual currency exchange; and (4) a November 2023 theft of approximately $107 million in virtual currency from a Seychelles-based virtual currency exchange. Efforts to trace, seize, and forfeit related stolen virtual currency remain ongoing, as the APT38 actors continue to launder such funds through various virtual currency bridges, mixers, exchanges, and over-the-counter traders.

The FBI Los Angeles Field Office and the FBI's Virtual Assets Unit are investigating the cases associated with these complaints.

Senior Counsel Jessica Peck of the Criminal Division's Computer Crime and Intellectual Property Section, Trial Attorneys Gregory J. Nicosia Jr. and Prava Palacharla of NSD's National Security Cyber Section and Assistant U.S. Attorney Rick Blaylock for the District of Columbia are handling the forfeiture actions.

***

Other public advisories about the threats, red flag indicators, and potential mitigation measures for these schemes include a May 2022 advisory released by the FBI, Department of the Treasury, and Department of State; a July 2023 advisory from the Office of the Director of National Intelligence; and guidance issued in October 2023 by the United States and the Republic of Korea (South Korea). As described the May 2022 advisory, North Korean IT workers have been known individually to earn up to $300,000 annually, generating hundreds of millions of dollars collectively each year, on behalf of designated entities, such as the North Korean Ministry of Defense and others directly involved in the DPRK's weapons programs.

The U.S. Department of State has offered potential rewards for up to $5 million in support of international efforts to disrupt the DPRK's illicit financial activities, including for cybercrimes, money laundering, and sanctions evasion.