Executive Summary
Laws and Precedent
The U.S. Justice Department announced sweeping nationwide actions on November 14, 2025, targeting illicit revenue generation schemes by the North Korean government, including five guilty pleas and the civil forfeiture of over $15 million in virtual currency. These aggressive measures aim to disrupt North Korea’s efforts to fund its weapons programs and other priorities, which violate international sanctions, through sophisticated remote IT worker fraud and multimillion-dollar virtual currency heists.
DOJ’s Multi-Pronged Approach
These latest actions are part of the Department’s DPRK RevGen: Domestic Enabler Initiative, a joint effort by the National Security Division (NSD) and FBI Cyber and Counterintelligence Divisions. The initiative prioritizes targeting and disrupting North Korea’s illicit revenue generation schemes and its U.S.-based enablers. Assistant Attorney General for National Security John A. Eisenberg emphasized that the Department will utilize every available tool to protect the nation from the regime’s depredations.
The Schemes Uncovered
The investigations revealed two primary methods used by the North Korean government to generate illicit revenue. Both schemes exploit vulnerabilities in the global financial system and U.S. companies.
Remote IT Worker Fraud
Facilitators in the United States and Ukraine assisted North Korean actors in securing remote IT employment with U.S. companies. These facilitators provided false, stolen, or their own identities, and hosted company-provided laptops at U.S. residences. This created the deceptive appearance that the IT workers were operating domestically.
This fraudulent employment scheme impacted more than 136 U.S. victim companies, generating over $2.2 million in revenue for the North Korean regime. Additionally, the identities of more than 18 U.S. persons were compromised during these operations. FBI Assistant Director Roman Rozhavsky noted that North Korean remote IT workers have also engaged in data extortion and exfiltration of proprietary and sensitive data from U.S. companies.
Virtual Currency Heists
A North Korean military hacking group, known in the private sector as Advanced Persistent Threat 38 (APT38), executed multimillion-dollar virtual currency heists at four overseas virtual currency platforms in 2023. These heists included thefts of approximately $37 million from an Estonia-based processor, $100 million from a Panama-based processor, $138 million from a Panama-based exchange, and $107 million from a Seychelles-based exchange.
While APT38 actors continued to launder their ill-gotten gains, the U.S. government successfully froze and seized over $15 million worth of virtual currency. The Justice Department now seeks to forfeit these funds for eventual return to their rightful owners. Acting Assistant Attorney General Matthew R. Galeotti highlighted that hostile nation-states raising funds for illicit programs by stealing from digital asset exchanges threatens both national and economic security.
Guilty Pleas Across Three Districts
The nationwide crackdown resulted in guilty pleas from four U.S. nationals and one Ukrainian identity broker, demonstrating the extensive reach of these illicit networks.
Florida Man Pleads Guilty to Wire Fraud Conspiracy
On November 6, Erick Ntekereze Prince, 30, a U.S. national, pleaded guilty in the U.S. District Court for the Southern District of Florida to one count of wire fraud conspiracy. Through his company, Taggcar Inc., Prince contracted to supply IT workers to U.S. companies, knowing they were overseas and using false or stolen identities.
Prince hosted victim company laptops at Florida residences and installed unauthorized remote access software to create the false impression of domestic work. He earned over $89,000 for his role in the scheme, which impacted more than 64 U.S. companies and generated over $943,069 in salary payments for the North Korean IT workers. Co-defendants Emanuel Ashtor and Pedro Ernesto Alonso de los Reyes are awaiting trial and extradition, respectively.
Georgia Defendants Admit to Identity Fraud
On November 13, U.S. nationals Audricus Phagnasay, 24, Jason Salazar, 30, and Alexander Paul Travis, 34, each pleaded guilty in the U.S. District Court for the Southern District of Georgia to one count of wire fraud conspiracy. From September 2019 through November 2022, they provided their U.S. identities to overseas IT workers for fraudulent employment applications.
These defendants also hosted company laptops and installed remote access software, creating the illusion of domestic employment. Travis and Salazar even appeared for drug testing on behalf of the overseas IT workers. Travis, an active-duty U.S. Army member at the time, received at least $51,397, while Phagnasay and Salazar earned $3,450 and $4,500, respectively. This scheme generated approximately $1.28 million in salary payments for the North Korean IT workers.
Ukrainian Broker Convicted in D.C.
On November 10, Ukrainian national Oleksandr Didenko pleaded guilty in the U.S. District Court for the District of Columbia to one count of wire fraud conspiracy and one count of aggravated identity theft. Didenko orchestrated a years-long scheme, stealing U.S. citizens’ identities and selling them to overseas IT workers, including North Koreans, to secure employment at 40 U.S. companies.
Victim companies paid Didenko’s IT worker clients hundreds of thousands of dollars. As part of his plea, Didenko agreed to forfeit over $1.4 million, including seized fiat and virtual currency. Didenko was arrested by Polish authorities in May 2024 and extradited to the United States on December 10, 2024.
Over $15 Million in Stolen Funds Seized
The Department recently filed two civil complaints in the District of Columbia to forfeit over $15 million in USDT, a virtual currency stablecoin, seized by the FBI in March 2025 from North Korean APT38 actors. These forfeiture actions relate directly to the 2023 virtual currency heists.
Efforts to trace, seize, and forfeit additional stolen virtual currency remain ongoing as APT38 actors continue to launder funds through various virtual currency bridges, mixers, exchanges, and over-the-counter traders.
Continued Vigilance Against North Korean Threats
The Justice Department continues to issue public advisories regarding the threats posed by North Korean illicit revenue generation schemes. These advisories highlight red flag indicators and potential mitigation measures for U.S. companies and individuals.
North Korean IT workers have been known to individually earn up to $300,000 annually, collectively generating hundreds of millions of dollars each year for entities involved in North Korea’s weapons programs. The U.S. Department of State offers rewards of up to $5 million for information supporting international efforts to disrupt North Korea’s illicit financial activities.
