DOJ Seeks Forfeiture of Millions in USDT Linked to North Korean Hackers
The U.S. Department of Justice has initiated proceedings to formally forfeit over 15.1 million dollars in Tether's USDT stablecoin. These funds were seized from North Korean hackers associated with the APT38 military cyber unit. The recovery occurred earlier this year following an FBI investigation that traced stolen assets across multiple hacks of exchanges and payment platforms in 2023. The DOJ has filed two civil forfeiture complaints, seeking court approval to retain the seized assets and ultimately return them to the victims.
According to investigators, the stolen USDT was directly linked to APT38 operations that targeted four overseas virtual currency platforms throughout 2023. The FBI successfully seized these funds in March 2025 after meticulously tracking the laundering flows, which involved mixers, bridges, over-the-counter (OTC) brokers, and foreign exchanges. While the DOJ did not publicly name the specific platforms that were hacked in its announcement, the timing and the amounts involved strongly suggest connections to several high-profile incidents. These include the Poloniex breach in November 2023, which resulted in over 100 million dollars in losses; the CoinsPaid hack in July 2023, with losses totaling 37 million dollars; the approximately 100 million dollars taken from Alphapo during the same month; and an unconfirmed 138 million dollar theft from a Panama-based exchange in late 2023.
In its official statement, the DOJ indicated that efforts to trace and seize additional virtual currency from APT38 operations are actively continuing. This ongoing pursuit is due to hackers persistently attempting to launder funds using cross-chain tools.
North Korean IT Workers Infiltrate U.S. Companies Through Fraudulent Employment
In parallel with the forfeiture action, the DOJ announced that five individuals have pleaded guilty to facilitating North Korean operatives' fraudulent acquisition of remote employment within U.S. businesses. These schemes were designed to support Pyongyang's continuous efforts to place disguised IT workers inside American companies, thereby generating revenue for sanctioned government agencies.
Four U.S. citizens—Audricus Phagnasay, 24; Jason Salazar, 30; Alexander Paul Travis, 34; and Erick Ntekereze Prince, 38—have pleaded guilty to wire fraud conspiracy. They confessed to allowing North Korean workers to use their identities and hosting company-issued laptops in their residences. This arrangement created the illusion that the workers were physically present within the United States, granting them access to sensitive corporate systems.
Oleksandr Didenko, a Ukrainian national, also pleaded guilty to wire fraud conspiracy and aggravated identity theft. The DOJ stated that Didenko was involved in stealing U.S. identities and selling them to North Korean IT workers, which enabled them to secure positions at 40 different American employers. As part of his plea agreement, Didenko has consented to forfeit over 1.4 million dollars.
Collectively, these infiltration efforts impacted more than 136 U.S. companies, generated over 2.2 million dollars in revenue for the North Korean regime, and compromised the identities of more than 18 Americans. A joint advisory previously issued by U.S. agencies had warned that North Korean IT workers can earn substantial incomes, potentially up to 300,000 dollars per year, and collectively funnel hundreds of millions of dollars into programs controlled by the country's Ministry of Defense.
Implications for Crypto Markets and Stablecoin Risk
North Korea's persistent hacking and money laundering operations continue to pose a systemic risk across global cryptocurrency markets. Elliptic estimates that groups linked to the Democratic People's Republic of Korea (DPRK) have stolen more than 2 billion dollars in cryptocurrency in 2025 alone, establishing Pyongyang as one of the most aggressive state-sponsored crypto-theft operations worldwide.
The recent USDT forfeiture action underscores several significant and evolving trends within the cryptocurrency landscape:
- •Stablecoins remain a prime target for laundering activities. APT38 and associated groups increasingly favor USDT due to its high liquidity across offshore exchanges, OTC desks, and cross-chain bridges.
- •Law enforcement agencies are demonstrating increased effectiveness in intercepting illicit funds. Seizures are on the rise as U.S. authorities enhance their tracing tools for USDT and other dollar-pegged assets.
- •Cross-chain infrastructure is facing heightened scrutiny. Mixers, bridges, and over-the-counter markets with thin Know Your Customer (KYC) protocols are now identified as critical pressure points for regulatory oversight.
Future U.S. Policy and Its Impact on Crypto Crime Enforcement
The current push for asset forfeiture is occurring as U.S. officials are expanding joint operations targeting large-scale cryptocurrency crime networks. The recent establishment of the Scam Center Strike Force, which specifically focuses on Southeast Asian "pig-butchering" scam hubs, signals a move by federal agencies towards a more aggressive and coordinated enforcement model.
If these trends persist, future U.S. policy could shape the cryptocurrency landscape in several key areas:
- •More rapid blacklisting of wallets across U.S. exchanges and stablecoin issuers.
- •Increased pressure on bridges and cross-chain protocols to implement robust compliance screening measures.
- •Heightened scrutiny of the remote-worker onboarding processes at technology-driven firms.
- •Stronger expectations for exchanges to effectively detect and report DPRK-linked laundering patterns.
For the cryptocurrency markets, the message is unequivocal: enforcement efforts are accelerating in both scope and sophistication, with stablecoins positioned at the core of the regulatory response.