US Actions Disrupt North Korean Cybercrime & Sanctions Evasion Schemes

The latest announcement from the Justice Department marks a significant escalation in US efforts to dismantle North Korea’s illicit global revenue networks. With five guilty pleas secured and over 15 million dollars in virtual currency subject to civil forfeiture, the Department has underscored both the scale and sophistication of the Democratic People’s Republic of Korea’s (DPRK) exploitation of remote IT work and cryptocurrency theft to finance its weapons programmes in defiance of international sanctions.

The coordinated actions revealed how DPRK operatives used stolen and falsified identities, proxy computers, and US-based facilitators to infiltrate legitimate companies under the guise of remote IT workers. These schemes, which compromised the identities of more than 18 US citizens and impacted over 136 companies, generated in excess of 2.2 million dollars for the regime. Three US nationals in Georgia admitted to providing their identities, hosting corporate laptops, and even attending drug tests on behalf of overseas workers to bypass employer controls. In a parallel case, a Ukrainian identity broker pleaded guilty to supplying stolen US identities to DPRK-linked IT workers who fraudulently secured employment at 40 American companies.

A separate set of actions targets the DPRK’s cybercriminal machinery. APT38, a military-affiliated hacking group long associated with high-value cryptocurrency thefts, conducted multimillion-dollar heists against virtual asset platforms in Estonia, Panama, and Seychelles in 2023. The FBI successfully froze and seized more than 15 million dollars’ worth of USDT linked to these attacks and is now seeking forfeiture with a view to returning funds to victims. The heists, totalling nearly 400 million dollars in stolen assets, highlight the critical vulnerability of cryptocurrency exchanges and payment processors to well-resourced nation-state actors.

Senior officials emphasised that the DPRK RevGen: Domestic Enabler Initiative, a joint effort between the National Security Division and the FBI’s Cyber and Counterintelligence Divisions, is central to disrupting the regime’s revenue streams. This initiative targets both overseas operators and their US-based enablers, who provide the domestic cover required for DPRK IT workers to penetrate American corporate networks. The Department referenced earlier actions under the initiative from January and June 2025, reinforcing the sustained nature of this campaign.

The FBI has repeatedly warned that North Korean IT workers pose a material threat to US businesses. These individuals, often presenting as highly skilled contractors, have engaged in data exfiltration, extortion, and credential theft while masquerading as legitimate remote staff. Their operations rely on a blend of social engineering, stolen identities, false websites, alias accounts, and the unwitting support of third parties who host devices or facilitate payments. North Korean IT workers can individually generate earnings of up to 300,000 dollars a year, collectively contributing hundreds of millions of dollars to entities tied to the Ministry of Defence and other sanctioned bodies.

The Justice Department’s actions serve as a clear reminder that the DPRK continues to adapt its tactics to evade sanctions, leveraging both the global shift to remote work and the weaknesses inherent in the digital asset ecosystem. For financial institutions, technology firms, and compliance professionals, these cases highlight the ongoing need to strengthen identity verification, remote worker vetting, and cryptocurrency traceability measures.

As the Department continues its investigations, the US State Department is offering rewards of up to 5 million dollars for information that disrupts North Korea’s illicit financial activities, including cybercrime, money laundering, and sanctions evasion. The message is unequivocal: those who facilitate or profit from North Korea’s schemes, regardless of location, will face sustained enforcement pressure.

Read the press release here.