The U.S. Justice Department revealed a significant crackdown on North Korean schemes funding weapons programs through fake IT jobs and cryptocurrency thefts.
On November 14, 2025, officials announced five guilty pleas and over $15 million in seized virtual currency tied to these operations.
Disrupting The IT Fraud Network
North Korean operatives used stolen American identities to secure remote IT positions at U.S. firms, earning salaries that funneled money back to Pyongyang.
Facilitators in the U.S. and Ukraine helped by providing fake profiles, including Social Security numbers and addresses, often sourced from data breaches.
These enablers hosted company-issued laptops in “laptop farms” clusters of devices at U.S. residences to simulate domestic work.
Remote access tools like TeamViewer or AnyDesk allowed North Koreans to control the machines via VPNs and proxies, masking their overseas locations.
The scheme impacted 136 companies, generating $2.2 million for the Democratic People’s Republic of Korea (DPRK) while compromising 18 U.S. identities.
Applicants crafted polished resumes using AI to fix grammar and generate professional images, then built fake digital footprints on LinkedIn and GitHub with fabricated code portfolios.
During hiring, deepfake video tools and voice changers helped pass interviews, while accomplices handled background checks and even drug tests.
Four U.S. nationals Audricus Phagnasay, Jason Salazar, Alexander Paul Travis, and Erick Ntekereze Prince pleaded guilty to wire fraud conspiracy.
Travis, a U.S. Army soldier, earned $51,397 by hosting laptops from 2019 to 2022.
Phagnasay and Salazar made $3,450 and $4,500, respectively, aiding a fraud that netted $1.28 million in salaries.
Prince, via his firm Taggcar Inc., supplied “certified” workers to 64 companies from 2020 to 2024, pocketing $89,000.
Ukrainian Oleksandr Didenko sold stolen identities to 40 firms, resulting in the forfeiture of $1.4 million, including seized crypto.
“These actions disrupt North Korean efforts to finance weapons on Americans’ backs,” said Assistant Attorney General John A. Eisenberg.
The FBI’s DPRK RevGen Initiative targets these enablers, following prior indictments in January and June 2025.
Seizing Stolen Cryptocurrency
Parallel to the IT fraud, North Korea’s APT38 hacking group part of the Lazarus Group under the Reconnaissance General Bureau stole over $382 million in virtual currency from four platforms in 2023.
Attacks hit an Estonia-based processor ($37 million in July), two Panama-based firms ($100 million and $138 million), and a Seychelles exchange ($107 million in November).
APT38 deployed advanced malware, including RATANKBA for remote access and Manuscrypt backdoors, to exfiltrate data from crypto wallets.
They laundered funds through bridges, mixers, and over-the-counter traders, converting to Bitcoin and dispersing across blockchains.
The FBI traced and froze 15 million USDT a dollar-pegged stablecoin valued at over $15 million, filing forfeiture complaints on October 24 and November 14, 2025.
Ongoing probes by the FBI’s Virtual Assets Unit aim to return funds to victims.
“Hostile states stealing from exchanges threaten security,” said Acting Assistant Attorney General Matthew R. Galeotti.
FBI Assistant Director Roman Rozhavsky urged firms to vet remote hires rigorously, citing public alerts from May 2024 and January 2025.
This multi-pronged effort highlights DPRK’s evolution in sanctions evasion, blending social engineering with cyber tactics to fund illicit priorities.
The State Department offers up to $5 million in rewards for disrupting such activities.
