FBI seizes 15.1 million stablecoins! North Korean hackers infiltrate 136 U.S. companies, insider details exposed.

The U.S. Department of Justice announced last week that it has submitted a request to seize Tether USDT stablecoins worth $15.1 million, which were confiscated from North Korean hackers linked to the APT38 organization. At the same time, four U.S. citizens and one Ukrainian national pleaded guilty to helping North Korean IT personnel infiltrate 136 U.S. domestic companies, which generated over $2.2 million in revenue for the North Korean regime.

FBI seized 15.1 million USDT stablecoin

(Source: U.S. Department of Justice)

The U.S. Department of Justice announced on November 14 that it has filed two civil forfeiture lawsuits in an attempt to seize $15.1 million worth of Tether stablecoin USDT, which was stolen by North Korean hackers in 2023. The seized cryptocurrency originated from Advanced Persistent Threat 38 (APT38), a North Korean military hacking organization that carried out thefts against four overseas virtual currency platforms in 2023. The FBI seized these funds in March 2025 and is currently seeking court approval to forfeit these assets to return them to the victims.

The stablecoins seized this time come from four incidents, although the announcement did not specify which four, clues suggest they may include: Poloniex exchange being hacked in November 2023 with losses exceeding 100 million USD, the cryptocurrency company CoinsPaid being hacked in July 2023 with losses of 37 million USD, the payment processor Alphapo losing approximately 60 million USD in the same month, and an unspecified case of “about 138 million USD stolen from a virtual currency exchange in Panama in November 2023.” The U.S. Department of Justice has not publicly confirmed which incidents are covered by this forfeiture lawsuit.

The case of stablecoins being used as tools for money laundering highlights the urgency of regulating digital assets. Stablecoins like USDT are extremely convenient for cross-border transfers due to their 1:1 peg to the US dollar, but this has also made them the preferred tools for criminal organizations to launder money. The agency stated in a statement: “The work of tracking, seizing, and confiscating the related stolen virtual currencies is ongoing, as members of APT38 continue to launder money through various cryptocurrency bridges, mixers, exchanges, and over-the-counter traders.”

This recent seizure operation shows that although transactions of stablecoins on the blockchain are anonymous, law enforcement's tracking capabilities are improving. Through on-chain analysis tools and cooperation with exchanges, the FBI was able to trace the flow of stolen stablecoins and ultimately freeze these assets. This is good news for legitimate stablecoin users, but it also serves as a reminder that regulatory pressure regarding stablecoins in anti-money laundering will continue to increase.

American citizen becomes a mole to assist North Korea's infiltration

On Friday, the U.S. Department of Justice also announced that it has secured guilty pleas from four U.S. citizens and one Ukrainian national who admitted to helping North Korean IT workers fraudulently obtain jobs at U.S. companies by providing stolen identities and hosting company laptops. The four U.S. citizens—24-year-old Audrick Fagnersey, 30-year-old Jason Salazar, 34-year-old Alexander Paul Travis, and 38-year-old Eric Entkreiser Prince—pleaded guilty to conspiracy to commit wire fraud.

They provide their identity information to North Korean workers and place company-issued laptops in their own homes, making these workers appear to be working in the United States. This mode of operation is extremely covert, as North Korean IT personnel actually work remotely from Pyongyang or other locations, but appear as local U.S. employees in the company system through the identity and internet connection of American citizens. This method not only circumvents legal restrictions on employing foreigners but also renders the company's background checks ineffective.

Ukrainian citizen Oleksandr Didenko pleaded guilty on November 10, admitting to conspiracy to commit telecommunications fraud and aggravated identity theft, charged with stealing the identity information of U.S. citizens and selling it to North Korean IT professionals. Didenko helped North Koreans obtain jobs at 40 U.S. companies and agreed as part of a plea deal to forfeit over $1.4 million in property. This case illustrates that North Korea's IT infiltration program has developed into an industrial chain, with dedicated personnel responsible for identity theft, remote device hosting, and salary reception.

The U.S. Department of Justice stated that these schemes affected over 136 American companies, generating over $2.2 million in revenue for the North Korean regime and exposing the identities of more than 18 American citizens. Although $2.2 million is not large relative to the overall scale of the economy, the strategic risks posed by such infiltration far outweigh the economic losses. North Korean IT personnel may have access to sensitive technologies, customer data, and even defense-related information.

North Korea IT Infiltration Program Core Techniques

Identity theft: Stealing or purchasing identity information of U.S. citizens

Remote Hosting: US citizens hosting company-issued laptops at home

False Positioning: Making North Korean workers appear to be located in the U.S. through U.S. IP addresses.

Salary Transfer: Transferring wages back to North Korea through a complex financial network.

Unveiling North Korea's Cryptocurrency Crime Industry Chain

North Korea is increasingly relying on cryptocurrency theft and remote IT worker programs to generate income, a move that violates international sanctions. The U.S. Federal Bureau of Investigation, Treasury Department, and State Department warned in a consulting report released in 2022 that North Korean IT workers can earn up to $300,000 per year, and they have funneled hundreds of millions of dollars into programs operated by the North Korean Ministry of Defense. This source of income is critical for the North Korean regime, which faces severe international sanctions.

According to analysis by Elliptic, North Korean hackers stole over $2 billion in cryptocurrency in 2025 alone, making the regime one of the most rampant actors in global cryptocurrency theft. This figure far surpasses traditional cybercrime organizations, indicating that North Korea has viewed cryptocurrency theft as a national strategic resource. Hacking groups like APT38 receive military support and possess highly specialized technical capabilities and ongoing financial investment.

Stablecoins play a key role in these criminal activities. Compared to the price volatility of Bitcoin and Ethereum, the characteristic of stablecoins being pegged to the USD makes them more suitable as tools for transferring and storing stolen funds. Hackers usually first convert the stolen cryptocurrency into stablecoins, and then launder the money through mixers and cross-chain bridges. This method can maintain value stability while utilizing the anonymity of blockchain to evade tracking.

However, stablecoin issuers are strengthening their cooperation with law enforcement agencies. Tether has assisted multiple times in freezing USDT related to criminal activities, and this time the FBI's ability to seize 15.1 million USDT also shows that the collaboration mechanism between law enforcement agencies and stablecoin issuers is becoming increasingly mature. For legitimate users, this is a double-edged sword: on one hand, it enhances the security and compliance of stablecoins, while on the other hand, it also means that transactions involving stablecoins are not completely untraceable.

The cryptocurrency crime industry chain in North Korea has become highly mature, encompassing multiple aspects such as hacking attacks, money laundering, identity theft, and remote IT infiltration. Organizations like APT38 are specifically responsible for attacking cryptocurrency exchanges and DeFi protocols, stealing funds and then converting stablecoins into cash or other difficult-to-trace assets through professional money laundering networks. Remote IT workers provide a continuous source of income and may offer internal intelligence for hacking operations.

Regulation of Stablecoins and Corporate Preventive Measures

This case has raised warnings for the stablecoin industry and employer companies. For stablecoin issuers, the pressure for anti-money laundering and sanctions compliance will continue to increase. The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has blacklisted several cryptocurrency addresses related to North Korea, and stablecoin issuers need to monitor these addresses in real-time and freeze related funds.

For businesses, preventing the infiltration of North Korean IT personnel has become a new security challenge. Traditional background checks may fail to identify remote workers using stolen identities. Companies need to strengthen their authentication processes, including video interviews, multi-factor authentication, and continuous behavioral monitoring. For positions that handle sensitive information, employees may be required to work in the office or undergo stricter security screenings.

The recent actions of the U.S. Department of Justice demonstrate that law enforcement agencies are tackling North Korea's cryptocurrency criminal activities on multiple levels. In addition to tracking and seizing stolen stablecoins, they are also dismantling the infrastructure that supports these activities, including identity theft networks and remote hosting services. The prison sentences faced by the five guilty pleas will send a strong warning to other potential accomplices.