The North Korean hackers have once again made headlines with their audacious infiltration into U.S. companies, leading to a significant $15 million USDT theft. The U.S. Department of Justice (DOJ) has taken decisive action to recover these stolen funds and has secured guilty pleas from multiple individuals involved in this elaborate scheme.
A Closer Look at the USDT Theft
In a move to safeguard the interests of affected companies, the DOJ has filed civil forfeiture complaints to reclaim $15.1 million in Tether’s USDT, which was illicitly obtained by North Korean hackers in 2023. These funds were traced back to Advanced Persistent Threat 38 (APT38), a notorious North Korean hacking group responsible for several high-profile cryptocurrency heists.
The funds were seized by the FBI in March 2025, and the DOJ is now seeking court approval to return the assets to their rightful owners. Although the specific incidents are not elaborated upon, the circumstantial evidence points to a series of hacks, including the $100 million theft from Poloniex in November 2023, the $37 million hack of CoinsPaid in July 2023, and the $60 million attack on Alphapo, among others.
How U.S. Citizens Facilitated the Breach
The DOJ revealed that four U.S. citizens and one Ukrainian national played a pivotal role in assisting North Korean hackers. These individuals, including Audricus Phagnasay, Jason Salazar, Alexander Paul Travis, and Erick Ntekereze Prince, admitted to wire fraud conspiracy. They provided their identities to the hackers and hosted company laptops at their residences, creating the illusion that these workers were based in the United States. Ukrainian national Oleksandr Didenko also pleaded guilty to similar charges.
These schemes allowed North Korean IT workers to fraudulently secure employment at over 136 U.S. companies, generating more than $2.2 million in revenue for North Korea. This operation resulted in the theft of identities from over 18 U.S. citizens, further highlighting the extensive reach of these cybercriminal activities.
Implications and Ongoing Efforts
The DOJ continues to trace and seize stolen virtual currencies as North Korean hackers persist in laundering funds through various channels like virtual currency bridges and exchanges. The regime’s reliance on cryptocurrency theft, alongside remote IT worker schemes, represents a significant violation of international sanctions.
In 2025 alone, North Korean hackers have amassed over $2 billion in cryptocurrency, according to an analysis by Elliptic. This positions the regime as one of the most prolific players in global crypto theft operations.
The DOJ’s actions underscore the ongoing threat posed by North Korean cyber activities and the critical importance of international cooperation to combat such threats effectively. As the digital landscape continues to evolve, robust security measures and vigilant monitoring remain essential to safeguarding against these sophisticated cybercrimes.
