The U.S. Justice Department has obtained five guilty pleas and moved to seize over USD 15 million linked to North Korea’s covert IT-worker schemes and crypto thefts, accusing Pyongyang of using the funds to support its weapons program in violation of global sanctions.
According to court filings, facilitators in the United States and Ukraine helped North Korean operatives obtain remote IT jobs with U.S. companies by providing stolen or falsified identities and hosting company-issued laptops to make it appear the workers were based inside the country.
The scheme affected more than 136 U.S. companies, generated over USD 2.2 million for the DPRK, and compromised the identities of at least 18 Americans.
In parallel complaints, authorities detailed how APT38 — a North Korean military hacking unit — conducted multimillion-dollar cryptocurrency thefts at four overseas platforms in 2023. U.S. agencies froze and seized more than USD 15 million linked to the hacks and are seeking forfeiture to return the funds to victims.
Senior Justice Department and FBI officials said the actions reflect a coordinated effort to disrupt North Korea’s illicit revenue networks, including its use of remote IT workers who pass employer vetting procedures with stolen identities and operate through proxy devices, false websites and unwitting intermediaries.
The guilty pleas were entered in federal courts in Georgia, the District of Columbia and Florida, involving U.S. and foreign nationals who aided DPRK-linked IT workers by fraudulently securing employment, hosting remote-access systems, and facilitating identity theft. Separately, two civil complaints were filed in the District of Columbia to forfeit more than USD 15 million in USDT seized from APT38-associated wallets following major cryptocurrency heists across Estonia, Panama and Seychelles in 2023.
