US DOJ Seeks to Seize $15M in USDT Tied to North Korean Hackers

Overview of the DOJ's Action Against North Korean Crypto Theft

The US Department of Justice has initiated significant legal proceedings to seize more than $15 million in USDT (Tether stablecoin) directly linked to North Korean state-sponsored hacking operations. This enforcement action represents a crucial component of the US government's broader strategy to disrupt Pyongyang's increasingly sophisticated cyber warfare capabilities and its reliance on cryptocurrency theft to circumvent international sanctions.

The targeted funds are associated with APT38 (Advanced Persistent Threat 38), a notorious North Korean hacking unit that operates under state direction and has been responsible for numerous high-profile attacks on global financial institutions and cryptocurrency platforms. This group has become one of the most prolific cyber threat actors in the digital asset space, utilizing advanced techniques to breach security systems and launder stolen funds through complex networks of intermediaries.

Key Takeaways:

• The DOJ is seeking to seize over $15 million in USDT tied to North Korean hacking group APT38
• The funds were traced to four major cryptocurrency platform breaches that occurred throughout 2023
• The FBI initially secured control of these assets in early 2025 and is now pursuing permanent forfeiture
• Five individuals in the United States have pleaded guilty to facilitating North Korean IT workers' infiltration of American companies
• The schemes affected 136 US companies and generated over $2.2 million for the North Korean regime

FBI Seeks to Forfeit Seized USDT Tied to 2023 Crypto Hacks

Federal investigators have successfully traced the digital assets to funds stolen from four distinct virtual currency platforms during a series of coordinated attacks in 2023. The FBI's blockchain analysis capabilities, combined with cooperation from private sector security firms, enabled authorities to track the movement of stolen funds across multiple blockchains and through various obfuscation techniques employed by the North Korean operatives.

The FBI initially seized the USDT in early 2025 through emergency legal procedures and is now pursuing court approval to permanently forfeit these assets. Once the forfeiture is finalized, the DOJ intends to return the recovered funds to the legitimate victims of these cyberattacks, providing at least partial restitution for their losses.

While the DOJ has not publicly identified the specific hacked platforms to protect ongoing investigations, the timeline of the thefts aligns closely with several major security incidents that occurred during 2023. These include the $100 million Poloniex breach that took place in November 2023, the $37 million CoinsPaid hack in July of that year, the Alphapo payments processor attack (estimated by the DOJ at approximately $100 million), and another significant November 2023 theft of roughly $138 million from a Panama-based cryptocurrency exchange. However, the DOJ has not confirmed which specific cases are covered under these particular forfeiture actions.

According to the official announcement, North Korean operatives employed sophisticated money laundering techniques to obscure the origins of the stolen funds. They utilized a complex network of cryptocurrency mixers (services that blend multiple transactions to hide their source), cross-chain bridges (tools that transfer assets between different blockchain networks), mainstream crypto exchanges, and over-the-counter (OTC) brokers who facilitate large private transactions outside of public exchange order books.

"Efforts to trace, seize, and forfeit related stolen virtual currency remain ongoing, as the APT38 actors continue to launder such funds," the DOJ stated, indicating that this enforcement action is part of a continuing investigation rather than a concluded case.

The sophisticated nature of these laundering operations demonstrates the evolving capabilities of state-sponsored threat actors and the challenges facing law enforcement in the decentralized cryptocurrency ecosystem. Despite these obstacles, federal investigators have developed increasingly effective methods for tracking illicit funds across blockchain networks.

Prosecution of Facilitators: US Citizens and Identity Theft Network

The enforcement push extends beyond the hackers themselves to include individuals who facilitated North Korea's infiltration of American companies. The DOJ secured guilty pleas from five individuals who played crucial roles in helping North Korean operatives gain access to US corporate networks through fraudulent remote IT work arrangements.

Four US citizens—Audricus Phagnasay, Jason Salazar, Alexander Paul Travis, and Erick Ntekereze Prince—admitted to wire fraud conspiracy charges. These individuals provided their legitimate US identities to North Korean IT workers and allowed company-issued laptops and equipment to be operated from inside their homes, creating the false appearance that these workers were physically located in the United States. This deceptive setup gave North Korean operatives access to sensitive US corporate networks, intellectual property, and financial systems while bypassing security measures designed to prevent foreign access.

This scheme has become a central revenue stream for Pyongyang, allowing the regime to generate substantial income while simultaneously gathering intelligence on American companies and potentially positioning assets for future cyberattacks. The remote work arrangements, which became more common following the COVID-19 pandemic, provided an opportunity that North Korean operatives exploited systematically.

Ukrainian National's Role in Selling Stolen US Identities to North Korea

In a related case that highlights the international nature of these criminal networks, Ukrainian national Oleksandr Didenko pleaded guilty to wire fraud conspiracy and aggravated identity theft charges. Didenko operated a sophisticated identity theft operation, stealing personal information from US citizens and selling these stolen identities to North Korean IT operatives.

His criminal enterprise directly enabled North Korean workers to secure positions at approximately 40 different companies across the United States. By providing authentic-seeming American identities complete with supporting documentation, Didenko made it possible for these operatives to pass background checks and verification processes that would normally prevent foreign nationals from accessing sensitive positions.

As part of his plea agreement, Didenko agreed to forfeit more than $1.4 million in proceeds from his illegal activities, demonstrating the substantial profits generated by this identity theft operation.

The scope of these schemes is staggering: collectively, they affected 136 US companies, generated more than $2.2 million in direct revenue for the North Korean government, and compromised the personal information of over 18 American citizens. These figures likely represent only a portion of the total impact, as investigations continue and additional cases may come to light.

US officials have repeatedly warned that individual North Korean IT workers can earn up to $300,000 annually through these fraudulent employment schemes. When multiplied across potentially hundreds or thousands of operatives, the program collectively funnels hundreds of millions of dollars into programs overseen by North Korea's Ministry of Defense, directly supporting the regime's weapons development and military capabilities in violation of international sanctions.

The Growing Threat of North Korean Crypto Theft Operations

North Korea's cryptocurrency theft operations have experienced a dramatic surge in recent periods, with hackers stealing more than $2 billion in digital assets according to data from Elliptic, a leading blockchain analytics firm. This represents one of the most successful years for North Korean cyber theft operations and underscores the regime's increasing sophistication and reliance on cryptocurrency crime as a sanctions evasion mechanism.

The scale of these operations has made North Korea one of the most significant cyber threats in the cryptocurrency space, with implications not only for the security of digital asset platforms but also for international peace and security, as these stolen funds directly support the regime's sanctioned weapons programs and help it evade the economic pressure intended to constrain its military ambitions.

FAQ

Why does the US Department of Justice seek to seize USDT assets tied to North Korean hackers?

The US DOJ seeks to seize USDT tied to North Korean hackers to combat cybercrime and money laundering. North Korean state-sponsored hackers have conducted major cryptocurrency thefts and ransomware attacks. Freezing these assets disrupts their funding operations, enforces sanctions, and prevents illicit capital flow.

How is USDT stablecoin legally defined and regulated?

USDT is classified as a stablecoin and digital asset under various jurisdictions. Regulators treat it as a money transmitter or payment instrument. The US SEC and CFTC oversee its trading and issuance. Tether faces compliance requirements including reserve backing verification and anti-money laundering protocols to prevent illicit fund transfers.

How do North Korean hacker groups typically conduct cyberattacks and launder funds?

North Korean hackers typically employ spear-phishing, malware deployment, and cryptocurrency theft targeting exchanges and DeFi protocols. They launder stolen funds through mixing services, peer-to-peer transactions, and converting crypto to stablecoins like USDT for obscured movement across blockchain networks.

How do cryptocurrency exchanges cooperate with law enforcement to freeze and track suspicious assets?

Exchanges implement AML/KYC protocols, monitor transaction patterns, and report suspicious activities to regulators. They freeze accounts upon legal orders, provide transaction records, and use blockchain analysis tools to trace fund flows, enabling authorities to identify and recover illicit assets linked to criminal activities.

What impact does this case have on cryptocurrency users' privacy and asset security?

This case highlights the importance of compliance and regulatory oversight in crypto. While law enforcement can trace and seize illicit funds, legitimate users' assets remain secure through proper custody practices. It reinforces that transparent platforms and KYC procedures actually protect user interests by preventing criminal activity and reducing systemic risks.

What is the legal basis for the US government freezing cryptocurrency assets?

The US government freezes crypto assets under the International Emergency Economic Powers Act (IEEPA) and the Patriot Act to combat money laundering, terrorist financing, and sanctions violations. These statutes authorize asset seizure when linked to national security threats or criminal activity.

How can USDT holders protect their assets from being frozen by mistake?

Use compliant wallets, maintain transaction records, avoid high-risk addresses, enable multi-signature security, keep KYC documentation updated, and use personal non-custodial wallets rather than suspicious platforms to reduce freezing risks.