.png){kind=logo}
The US Department of Justice moved to seize $15.1 million in USDT tied to North Korean hackers after investigators tracked stolen assets from several 2023 cryptocurrency attacks. Federal teams traced funds across four virtual currency platforms, and the FBI first took hold of the assets in March 2025 before the DOJ filed civil forfeiture complaints to return the funds to victims.
The DOJ connected the forfeiture request to ongoing efforts against North Korean cyber operations. Officials linked the assets to schemes involving the Lazarus Group, which has taken part in global cryptocurrency thefts. Investigators said the stolen funds moved across several payment channels as the operatives tried to hide their trail.
Investigators noted that the timeline aligned with several major 2023 breaches. Those incidents included a $100 million Poloniex hack in November, a $37 million attack on CoinsPaid in July, and the Alphapo payments breach, which the DOJ placed at $100 million. Another theft removed about $138 million from a Panama-based exchange in late 2023.
The DOJ did not confirm which attacks matched the forfeiture request. Yet the cases mirrored the scale and movement of the laundered digital assets. The agency said North Korean actors used mixers, cross-chain bridges, crypto exchanges, and OTC brokers to keep funds moving.
North Korea’s APT38 group kept shifting the assets, so investigators continued tracking the flows. The DOJ explained that more seizures are expected as the group attempts to move additional stolen cryptocurrencies. This raised a question that security teams continue to consider: how many global platforms remain exposed to similar threats?
The filing followed other US enforcement actions tied to North Korean cyber activity. The DOJ revealed new guilty pleas from five people who helped North Korean workers enter US companies through fraudulent remote IT roles. These roles generated income for Pyongyang while bypassing sanctions.
Four US citizens were admitted to a wire fraud conspiracy. They included Audricus Phagnasay, 24; Jason Salazar, 30; Alexander Paul Travis, 34; and Erick Ntekereze Prince, 38. Each person provided North Korean operatives with stolen identities and allowed access to laptops issued by US employers.
Their homes functioned as points of entry for remote access. This gave the workers a way into corporate networks while appearing to operate inside the United States. The scheme allowed them to collect paychecks from dozens of businesses.
The DOJ detailed that the fifth individual also took part in securing fake identities and helping North Korean workers mask their origins. These operations supported broader cyber efforts that generated revenue for the Democratic People’s Republic of Korea.
The FBI said its investigations continue to uncover North Korea’s attempts to evade sanctions and steal digital assets. Assistant Director Roman Rozhavsky urged US companies to strengthen remote-work vetting. He noted that North Korea uses these schemes to support government programs and cyber operations.
Federal teams continue searching for stolen cryptocurrency tied to APT38 and related actors. The DOJ said assets remain in motion as North Korean groups keep shifting funds through complex laundering networks.
Read More: South Korea May Tighten Sanctions After US Links North Korea to Crypto Crimes
The DOJ’s push to seize $15.1 million in USDT marks a broader effort to counter North Korea’s evolving cyber schemes. Investigators continue tracing stolen crypto tied to multiple 2023 attacks while urging firms to strengthen remote-work screening. Ongoing enforcement aims to protect platforms and prevent further digital asset losses.
