The Justice Department announced five guilty pleas on Friday related to North Korea’s long-running IT worker scam. In addition to the convictions, the DOJ said it was able to seize more than $15 million obtained by North Korean facilitators through cryptocurrency thefts in 2023.
In total, the IT worker schemes affected about 136 U.S. companies and allowed North Korea to earn $2.2 million, the department said. More than 18 U.S. citizens had their identities stolen and used as part of the scam.
In three cases, U.S. nationals gave North Koreans access to their own identities. The other two cases involved stolen identities.
Direct help
U.S. nationals Audricus Phagnasay, 24, Jason Salazar, 30, and Alexander Paul Travis, 34, pleaded guilty to wire fraud conspiracy after providing their identities to North Korean workers and allowing them to be used to obtain jobs at U.S. companies.
From approximately September 2019 through November 2022, the three also hosted company laptops at their homes, installed remote access tools and allowed the IT workers to make it look like they were working within the U.S.
The DOJ noted that the three did several other things to help get the North Koreans through company vetting processes. Travis and Salazar even went so far as to take drug tests on behalf of the North Korean workers as part of the employment process.
Travis was an active-duty member of the U.S. Army at the time of the scheme and was paid $51,397 for his role. Phagnasay and Salazar earned at least $3,450 and $4,500, respectively.
The North Korean workers used the three identities to earn $1.28 million in salaries, the Justice Department said.
Stealing and laundering
Ukrainian national Oleksandr Didenko pleaded guilty to wire fraud and identity theft charges, the department said, after prosecutors accused him of stealing multiple U.S. citizen identities and selling them to North Korean facilitators.
The identities were used to obtain jobs at 40 U.S. companies. As part of the plea deal, Didenko forfeited $1.4 million he earned from the scheme. Didenko was arrested in Poland last year and was extradited in December 2024.
The DOJ previously said it also raided four U.S. residences controlled by Didenko where he ran laptop farms. He was charged last year alongside U.S. national named Christina Chapman — who was given an 8.5-year sentence for running a laptop farm in Arizona that facilitated the North Korean scheme.
Another U.S. national, Erick Ntekereze Prince, also pleaded guilty to wire fraud conspiracy after using his company to launder the identities of several North Korean workers.
From June 2020 to August 2024, Prince’s Taggcar Inc. was used as an IT contractor, hiring out workers to U.S. companies. The North Koreans working for the company used stolen or fake identities.
Prince also ran a laptop farm in Florida where he maintained company-provided laptops and allowed the North Korean IT workers to work remotely. He earned about $89,000 from the scheme.
Prince was charged in January alongside another U.S. national, Emanuel Ashtor, and Mexican national Pedro Ernesto Alonso de los Reyes.
In total, the three helped North Korean IT workers gain employment at 64 U.S. companies and earn nearly $1 million in salary payments. Ashtor is awaiting trial and de los Reyes is in custody in The Netherlands awaiting extradition.
$15 million forfeited
The plea deals were announced alongside forfeiture complaints for more than $15 million in stolen funds.
The Justice Department said the FBI seized cryptocurrency controlled by the North Korean government’s APT38 hacking group — known by many researchers as Lazarus or TraderTraitor.
The complaints say parts of the seized cryptocurrency was traced back to four separate incidents:
- A July 2023 theft of $37 million from Estonia-based cryptoplatform CoinsPaid.
- A $100 million theft from an unidentified Panama-based crypto provider in July 2023.
- A November 2023 theft of $138 million from a Panama-based virtual currency exchange.
- A November 2023 incident involving $107 million in stolen crypto from a Seychelles-based exchange.
The FBI attributed multiple high-profile cryptocurrency thefts to North Korea in 2023, including a $100 million hack of Atomic Wallet on June 2, a June 22 attack in which cybercriminals stole $60 million from Alphapo and the $100 million hack of Harmony’s Horizon bridge.
The DOJ said it is still working to trace and seize the stolen cryptocurrency but noted that North Korea has continued to launder the funds through multiple exchanges, mixers and other tools.
“FBI investigations continue to expose the North Korean government’s relentless campaign to evade U.S. sanctions and generate millions of dollars to fund its authoritarian regime and weapons programs,” said Roman Rozhavsky, assistant director of the FBI’s Counterintelligence Division.
Recorded Future
Intelligence Cloud.
Learn more.
