North Korean IT Worker Schemes and APT38 Crypto Heists Exposed

North Korea-linked schemes abusing remote IT worker roles and cryptocurrency heists are at the center of a new US Department of Justice announcement, which details guilty pleas from five individuals who helped DPRK actors evade sanctions and generate illicit revenue. Facilitators in the United States and Ukraine helped North Korean IT workers fraudulently obtain jobs at 136 US companies, generating more than $2.2 million in salaries while compromising at least 18 identities. In parallel, APT38 hackers stole millions in virtual currency from exchanges in Estonia, Panama, and Seychelles, with US authorities seizing over $15 million in USDT tied to the schemes. These operations map to T1078 (Valid Accounts) through the use of stolen identities and T1041 (Exfiltration Over C2 Channel) as funds and data move through controlled wallets and infrastructure. The facilitators provided US-based identities, hosted company laptops, installed remote access software, and even attended drug tests on behalf of overseas DPRK workers, creating convincing illusions of local employment. Ukrainian national Oleksandr Didenko stole US citizens’ identities and sold them to foreign IT workers, including North Koreans, who then used them to work for at least 40 US companies. Another facilitator, Erick Ntekereze Prince, operated a business that hosted corporate laptops and routed access from overseas workers through Florida, masking true locations. These techniques allowed DPRK-linked workers to blend into legitimate remote-work patterns, bypass simple geo checks, and move salary funds offshore, demonstrating how labor markets can be quietly weaponized for sanctions evasion. From a business and regulatory standpoint, organizations that unknowingly hired North Korean IT workers face potential exposure under sanctions regimes and may have allowed access to sensitive code repositories, customer data, or financial systems. The use of valid corporate identities and equipment greatly increases the risk of data theft, insider access abuse, and supply chain compromise, while also raising KYC and vendor due diligence questions for affected firms. These operations show how sanctions circumvention can intersect with software development, cloud administration, and other privileged IT roles that carry direct security consequences. US authorities have combined criminal prosecutions with civil forfeiture actions to reclaim millions in stolen funds and have reiterated reward offers of up to $5 million for information that disrupts DPRK revenue schemes. Organizations should tighten remote work hiring controls, perform stronger identity verification for sensitive roles, and review logs for anomalous access patterns tied to contractors or remote staff. Security teams should treat IT worker fraud and sanctioned-entity infiltration as part of their threat modeling, pairing fraud-prevention controls with technical monitoring for unusual code commits, privileged access, and cryptocurrency-related activity that could indicate North Korea-linked operations.