The U.S. Department of Justice announced that five individuals pleaded guilty to aiding North Korea’s illicit revenue generation schemes, including remote IT worker fraud and cryptocurrency theft.

As part of this, the U.S. authorities announced actions seeking the forfeiture of $15 million in cryptocurrency from heists carried out by the APT38 threat group, which is linked to the Lazarus hacking group.

The facilitators, four Americans and one Ukrainian, used their own, false, or stolen (from 18 U.S. persons) identities to make it possible for DPRK agents to be hired by American firms for remote work.

The latter then funneled their salaries, as well as, in some cases, stolen data, to the North Korean government.

According to the DOJ’s announcement, the actions of the five individuals affected 136 companies nationwide and generated over $2.2 million in revenue for the DPRK regime.

The five people who pleaded guilty are:

• Oleksandr Didenko – Pleaded guilty to wire-fraud conspiracy and aggravated identity theft. He stole U.S. identities and sold them to overseas IT workers, who got employment at 40 U.S. companies. Previously linked to the UpWorkSell platform (seized by the DOJ), and identified as a co-conspirator of Christina Marie Chapman.
• Erick Ntekereze Prince – Pleaded guilty to wire-fraud conspiracy. Through his company, Taggcar Inc., he placed overseas IT workers using stolen identities at 64 U.S. companies, earning $89,000 in the process, and causing damages exceeding $943,000.
• Audricus Phagnasay, Jason Salazar, and Alexander Paul Travis pleaded guilty to wire-fraud conspiracy. They participated in the said schemes between 2019 and 2022, causing damages totaling $1.28 million. Travis earned $51,000, while Phagnasay and Salazar earned between $3,450 and $4,500.

Didenko agreed to forfeit $570,000 in fiat currency and an additional $830,000 worth of cryptocurrency.

The DOJ announcement also highlights two civil forfeiture complaints filed to seize amounts totaling over $15 million, which were stolen and laundered by North Korea’s APT38.

The seized funds relate to four major incidents from 2023 targeting cryptocurrency exchange platforms based in Panama, Estonia, and Seychelles. In total, $382 million was stolen in these cyber-heists.

APT38 has been laundering funds from these hacks via cryptocurrency bridges, mixers, exchanges, and OTC traders, and authorities have so far traced and seized $15 million, with work to intercept more underway.