The Justice Department today announced five guilty pleas and more than $15 million in civil forfeiture actions against North Korea’s remote information technology work and virtual currency heist schemes.
The DPRK government uses both types of schemes to fund its weapons and other priorities in violation of sanctions.
First, as described in court documents associated with the guilty pleas, facilitators in the United States and Ukraine assisted North Korean actors with obtaining remote IT employment with U.S. companies.
For example, the facilitators provided their own, false, or stolen identities. They hosted U.S. victim company-provided laptops at residences across the United States to create the false appearance that the IT workers were working domestically.
In total, these defendants’ fraudulent employment schemes impacted more than 136 U.S. victim companies, generated more than $2.2 million in revenue for the DPRK regime, and compromised the identities of more than 18 U.S. persons.
Second, as described in the two civil forfeiture complaints, a North Korean military hacking group known to the private sector as Advanced Persistent Threat 38 (APT38) carried out multimillion-dollar virtual currency heists at four overseas virtual currency platforms in 2023.
While APT38 actors continued to launder their illicit gains from these heists, the U.S. government froze and seized more than $15 million worth of virtual currency, which it now seeks to forfeit for eventual return to the rightful owners.
“FBI investigations continue to expose the North Korean government’s relentless campaign to evade U.S. sanctions and generate millions of dollars to fund its authoritarian regime and weapons programs,” said Assistant Director Roman Rozhavsky of the FBI’s Counterintelligence Division.
Rozhavsky added, “These guilty pleas send a clear message: No matter who or where you are, if you support North Korea’s efforts to victimise U.S. businesses and citizens, the FBI will find you and bring you to justice. We ask all our private sector partners to improve their security process for vetting remote workers and to remain vigilant regarding this emerging threat.”
The Department’s actions to combat both the North Korean IT worker and hacking schemes are the latest in a series of law enforcement actions undertaken as part of a joint effort between the National Security Division and the FBI’s Cyber and Counterintelligence Divisions, known as the DPRK RevGen: Domestic Enabler Initiative.
This effort prioritises targeting and disrupting the DPRK’s illicit revenue generation schemes and its U.S.-based enablers. The Department previously announced other actions pursuant to the initiative, including in January and June 2025.
As the FBI has described in Public Service Announcements published in May 2024 and January 2025, North Korean remote IT workers posing as legitimate remote IT workers have committed data extortion and exfiltrated the proprietary and sensitive data from U.S. companies.
DPRK IT worker schemes typically involve the use of stolen identities, alias emails, social media, online cross-border payment platforms, and online job site accounts, as well as false websites, proxy computers, and witting and unwitting third parties located in the U.S. and elsewhere.
