DOJ Moves to Seize $15M in Stolen USDT as American Accomplices Admit Helping North Korea’s APT38 Infiltrate 136 Companies

The U.S. Department of Justice has intensified its pursuit of North Korea’s state-backed hacking operations, launching a major forfeiture action against $15.1 million in stolen Tether (USDT) while simultaneously securing guilty pleas from five individuals who helped Pyongyang’s operatives embed themselves deep inside America’s corporate infrastructure.

The filings mark one of the clearest blows yet in Washington’s long-running effort to dismantle APT38—North Korea’s elite crypto-hacking apparatus responsible for some of the largest digital asset heists of the past decade.

Federal prosecutors say the seized USDT was traced directly to APT38 operations that looted multiple global crypto platforms in 2023, part of a sweeping theft campaign that has generated billions for the heavily sanctioned regime. The FBI tracked the stablecoin across mixers, cross-chain bridges, OTC desks and foreign exchanges before capturing the funds in March 2025.

The DOJ is now seeking court approval to permanently forfeit the assets so they can be returned to victims, underscoring the department’s growing ability to unwind even the most sophisticated laundering pipelines used by state-sponsored crypto criminals.

At the same time, the DOJ unsealed another critical part of its investigation: the human infrastructure inside the United States that North Korea relied upon to make its schemes work.

According to prosecutors, four U.S. citizens and one Ukrainian national played direct roles in enabling North Korean IT workers to secure remote jobs at American companies, granting them unauthorized access to corporate systems and funneling millions of dollars back to the regime.

Each played a distinct part. Audricus Phagnasay, Jason Salazar, Alexander Paul Travis, and Erick Ntekereze Prince admitted to wire fraud conspiracy after acknowledging that they provided their identities to North Korean operatives and agreed to host company-issued laptops in their homes.

This allowed overseas North Korean workers to remotely access U.S. corporate networks while appearing as domestic employees, bypassing hiring checks and evading sanctions.

The fifth defendant, Ukrainian national Oleksandr Didenko, played the most extensive supporting role. According to court filings, he stole identities from U.S. citizens and sold them to North Korean operatives, helping them secure remote IT roles at more than 40 American companies.

Didenko not only facilitated onboarding but also received profit shares from the scheme, generating over $1.4 million before being arrested. As part of his plea agreement, he agreed to forfeit those proceeds.

In total, the group helped North Korean IT workers infiltrate 136 U.S. companies, generating more than $2.2 million in revenue for Pyongyang’s government. Prosecutors said the operatives passed salaries, commissions and—potentially—sensitive corporate information back to North Korea, where the funds were ultimately used to support weapons programs and cyber operations.

The case highlights the growing sophistication of the regime’s hybrid revenue model, which pairs large-scale crypto hacks with covert employment fraud to generate foreign currency despite international sanctions.

The DOJ said North Korea’s reliance on these dual revenue streams continues to accelerate. Federal agencies have repeatedly warned that remote IT worker schemes allow North Korean operatives to embed themselves inside major companies, including those handling sensitive financial or technological data.

Meanwhile, blockchain analytics firms estimate that North Korea-linked hackers have stolen more than $2 billion in crypto so far in 2025—making the regime the most prolific state-backed cyber threat actor in the digital asset ecosystem.

By targeting both the stolen crypto and the enablers who facilitated North Korea’s access to U.S. corporate networks, the DOJ is attempting to shrink the financial and operational space available to groups like APT38. The department emphasized that this will not be the last action, reaffirming that efforts to trace, seize and return stolen digital assets will continue as more laundering channels are exposed.

The case marks a rare moment in which U.S. authorities not only intercepted North Korea’s illicit crypto flows but also disrupted the domestic scaffolding that made those schemes possible—an approach that signals a deeper shift in how the government plans to counter the world’s most aggressive state-sponsored crypto theft operation.