Five people โ four Americans and one Ukrainian โ have pleaded guilty to helping North Korean operatives secure remote IT jobs at U.S. companies, generating more than $2.2 million for Pyongyangโs sanctioned government, the U.S. Department of Justice (DoJ) announced on Friday.
According to the prosecutors, the group acted as โfacilitators,โ using their own identities โ along with false and stolen identities belonging to at least 18 U.S. citizens โ to place North Korean workers in U.S. jobs. To make the ruse more convincing, they also kept company-issued laptops in their homes and installed remote-access software, enabling them to bypass company vetting systems.
In total, the scheme affected 136 U.S. companies nationwide, from 2019 through 2024, with salaries funnelled directly to the North Korean government and, in some cases, accompanied by data theft.
Who Pleaded Guilty
- Oleksandr Didenko, a Ukrainian national and identity broker, admitted to one count of wire fraud conspiracy and one count of aggravated identity theft. He stole the identities of U.S. citizens and sold them to overseas IT workers, including North Korean IT workers, who then landed jobs at 40 companies. He agreed to forfeit $570,000 in fiat currency and an additional $830,000 worth of cryptocurrency.
- Erick Ntekereze Prince, of Florida, pleaded guilty to one count of wire fraud conspiracy. From approximately June 2020 through August 2024, Prince ran a pipeline of overseas workers through his company, Taggcar Inc., placing them at 64 U.S. companies with stolen or fake identities. He was paid more than $89,000.
- U.S. nationals Audricus Phagnasay, Jason Salazar, and Alexander Paul Travis, in Georgia, each pleaded guilty to one count of wire fraud conspiracy for providing their identities and hosting corporate devices and help North Korean workers secure U.S.-based roles. They even sat for drug tests on behalf of the overseas workers. Travis, an active-duty U.S. Army soldier at the time, earned more than $51,000 for his role. Phagnasay and Salazar earned at least $3,450 and $4,500, respectively.
Their actions enabled the North Korean workers to collect approximately $1.28 million in salary payments from the victim U.S. companies, the vast majority of which were sent to the IT workers overseas.
โThese prosecutions make one point clear: the United States will not permit the DPRK to bankroll its weapons programs by preying on American companies and workers,โ said U.S. Attorney Jason A. Reding Quiรฑones for the Southern District of Florida, in a press release.
โWe will keep working with our partners across the Justice Department to uncover these schemes, recover stolen funds, and pursue every individual who enables North Koreaโs operations.โ
DoJ Also Targets $15 Million In Stolen Crypto
In a separate action, the Justice Department filed two civil forfeiture complaints seeking over $15 million in cryptocurrency seized from APT38, the North Korean hacking unit responsible for several high-value crypto thefts in 2023.
The hacking group โ linked to the infamous Lazarus Group โ stole $382 million from crypto exchanges in Panama, Estonia, and Seychelles in 2023, and laundered the funds through mixers, bridges, and OTC traders. Investigators have since traced and seized a portion of the stolen funds, with more seizures expected.
Crackdown On A Global North Korean Revenue Network
Officials said the guilty pleas underscore the scale of North Koreaโs remote IT worker operation. They warn that these workers not only generate revenue for Pyongyangโs weapons program but also pose a cybersecurity threat, given their access to sensitive corporate systems.
โThese actions demonstrate the Departmentโs comprehensive approach to disrupting North Korean efforts to finance their weapons program on the backs of Americans. The Department will use every available tool to protect our Nation from this regimeโs depredations,โ said Assistant Attorney General for National Security John A. Eisenberg.
The FBI has urged companies to strengthen their identity-verification checks for remote hires, noting that the threat continues to evolve.
