North Korea’s $15M Crypto Scam Exposed Inside 136 U.S. Companies

The United States has pulled back the curtain on one of North Korea’s most profitable and deceptive revenue pipelines. It involves crypto theft, stolen identities, and fake IT workers quietly embedded inside American companies. The Department of Justice isn’t just naming names this time — it has seized millions, secured guilty pleas, and exposed the scale of a scheme that hit more than a hundred U.S. organizations.

What Exactly Did the DOJ Seize?

The DOJ moved to forfeit $15.1 million in Tether’s USDT stablecoin, all traced back to North Korean hackers from APT38, the same state-backed group behind some of the biggest crypto heists of the past decade. This cache didn’t land in federal hands by luck. The FBI traced and seized the funds in early 2025 following a series of attacks on virtual asset platforms. While the DOJ hasn’t publicly tied the funds to specific incidents, the timelines and amounts point toward:

• The $100M Poloniex hack in November 2023
• The $37M CoinsPaid breach in July 2023
• The Alphapo theft pegged between $60M and $100M
• An unidentified $138M heist from a Panama-based exchange

APT38 didn’t stop after stealing the money. They laundered it aggressively across bridges, mixers, OTC desks, and exchange accounts. That laundering trail is still being unwound today.

How U.S. Citizens Helped North Korea Infiltrate 136 Companies

The crypto hacks were only half the story. The other half is far more personal — and far more alarming. Four U.S. citizens and one Ukrainian national have pleaded guilty to helping North Korean IT workers slip into American companies by pretending to be remote employees located in the United States.

Here’s how it worked:

• The Americans sold their identities to North Korean operatives.
• They hosted company-issued laptops in their homes, allowing North Korean workers to appear as if they were logging in from U.S. soil.
• These workers, posing as legitimate employees, infiltrated 136 companies, earning money for the regime while gaining access to internal networks.

The individuals who pleaded guilty include:

• Audricus Phagnasay, 24
• Jason Salazar, 30
• Alexander Paul Travis, 34
• Erick Ntekereze Prince, 38
• Oleksandr Didenko, a Ukrainian national who also committed aggravated identity theft and will forfeit $1.4 million

In total, the schemes:

• Generated more than $2.2 million for the North Korean government
• Compromised over 18 U.S. identities
• Placed dozens of American companies at risk
• Violated multiple sanctions and security laws

Why North Korea Is Doing This

The motive isn’t complicated. North Korea needs money, and sanctions have cut off most conventional revenue sources.

So the regime does two things extremely well:

• Steal cryptocurrency at scale
• Plant remote IT workers in foreign firms using stolen identities

A 2022 U.S. government advisory warned that these workers can earn up to $300,000 a year, funneling the money directly into programs run by North Korea’s Ministry of Defense. The model works because it is quiet, profitable, and difficult for companies to detect — especially when the access appears to come from legitimate U.S. employees.

The Bigger Picture: A Record Year for Crypto Theft

North Korea’s hacking operations are now among the most aggressive on the planet.
By 2025, they have already stolen over $2 billion in cryptocurrency, according to Elliptic. That makes Pyongyang not just a geopolitical problem, but one of the most successful cybercriminal enterprises in the world.

The DOJ’s latest actions show the U.S. is tightening the net — but the scale of the threat keeps growing.