DOJ hits North Korean IT worker schemes and APT38 crypto

The U.S. Department of Justice announced a series of wins against North Korea’s remote IT worker schemes and cryptocurrency theft operations, including five guilty pleas and over $15 million in seized funds linked to APT38. Ukrainian national Oleksandr Didenko pleaded guilty to wire fraud conspiracy and aggravated identity theft for running a site that sold stolen U.S. identities to overseas IT workers and operating laptop farms that allowed North Korean operatives to appear as domestic employees. Three U.S. nationals—Audricus Phagnasay, Jason Salazar and Alexander Paul Travis—also pleaded guilty to providing their identities and hosting company-issued laptops for North Korean workers, behavior that maps to T1078 (Valid Accounts) and T1133 (External Remote Services) as part of sanctions-evasion activity. Another U.S. national, Erick Ntekereze Prince, admitted to using his company Taggcar Inc. as a front to place North Korean workers at U.S. firms using stolen or fabricated identities, further expanding the regime’s revenue channels. Collectively, these schemes helped North Korean IT workers gain employment at more than 100 U.S. companies and generate approximately $2.2 million in salaries for the regime. The laptop farms and identity laundering allowed DPRK operatives to pass background checks, even to the point where U.S. facilitators took drug tests on their behalf, illustrating how social engineering, identity theft and remote access tools combine in T1566 (Phishing) and T1105 (Ingress Tool Transfer) patterns. In parallel, DOJ announced the seizure of more than $15 million in cryptocurrency traced to APT38, also known as Lazarus or TraderTraitor, tied to a string of 2023 thefts from crypto platforms in Estonia, Panama and Seychelles. These included tens of millions of dollars stolen from exchanges and payment providers, with stolen funds laundered through mixers and multiple exchanges to disguise origin. For financial institutions, exchanges and DeFi platforms, this underscores ongoing operational and sanctions risk from DPRK-linked activity, as well as the importance of blockchain analytics and law enforcement partnerships. For enterprises, these prosecutions signal that U.S. authorities are prioritizing disruption of North Korea’s revenue streams, but also highlight how easily corporate hiring and remote work processes can be abused by sanctioned actors. Organizations should treat remote IT hiring as a potential sanctions and security exposure, incorporating identity verification, IP and device checks, and continuous monitoring for anomalous access patterns. Crypto platforms should maintain robust KYC/AML processes, collaborate with law enforcement and integrate on-chain risk intelligence to detect and freeze funds linked to APT38 and similar threat actors.