Five Men Admit Plot to Infiltrate US Firms for North Korea
▼ Summary
– Five men pleaded guilty to helping North Korean IT workers get hired at US companies by bypassing hiring checks and moving money for the sanctioned government.
– Three US nationals in Georgia allowed overseas workers to use their identities for remote jobs, earning over $1.28 million in fraudulent salaries, with one receiving $51,397.
– A Florida man admitted to providing fake certified IT workers through his company, earning nearly $1 million in salaries and receiving over $89,000 for his role.
– A Ukrainian national ran an identity brokering service, selling stolen US citizen data to foreign IT workers, impacting over 40 US firms and leading to forfeiture of $1.4 million.
– The US government seized over $15 million in cryptocurrency stolen by APT38 in 2023, tracing and freezing the funds to return them to the victim entities.
Federal prosecutors have secured guilty pleas from five individuals involved in a sophisticated plot to infiltrate American companies with North Korean IT workers. These domestic facilitators played a key role in helping a sanctioned government bypass hiring checks, move money, and place foreign personnel inside more than one hundred U.S. firms, according to the Department of Justice.
In Georgia, three U.S. citizens admitted to allowing overseas workers to impersonate them to secure remote employment. Audricus Phagnasay, Jason Salazar, and Alexander Paul Travis provided their own identities for job applications, kept company-issued laptops in their homes, and installed remote access software so the actual workers could connect from abroad. Salazar and Travis even underwent drug screenings on behalf of the overseas personnel.
Travis, who was an active-duty member of the U.S. Army during the scheme, received at least $51,397 for his participation. Phagnasay and Salazar earned $3,450 and $4,500 respectively. Overall, the fraudulent operation generated approximately $1.28 million in salary payments from victim companies, with the majority sent to IT workers overseas.
Separately, in Florida, Erick Ntekereze Prince entered a guilty plea for his involvement. Through his company Taggcar Inc., Prince supplied what he falsely claimed were certified IT professionals to American businesses. He was fully aware the workers were located overseas and using fabricated identities. Similar to the Georgia case, he maintained company laptops at his residence and configured remote access to create the illusion the employees were working from Florida. This scheme brought in nearly $1 million in salary payments, with Prince personally receiving over $89,000.
Prosecutors noted that Prince, U.S. national Emanuel Ashtor, and Mexican national Pedro Ernesto Alonso de los Reyes were charged in a January 2025 indictment for their roles in obtaining employment for North Korean IT workers at more than 64 U.S. companies. Ashtor currently awaits trial, while de los Reyes is pending extradition from The Netherlands.
In Washington, Ukrainian national Oleksandr Didenko confessed to operating an extensive identity brokering service. He acquired personal data of U.S. citizens through theft or purchase, then sold complete identity packages to foreign IT workers, including those from North Korea. These individuals used the fraudulent documentation to gain employment at over 40 American firms. Didenko has agreed to forfeit more than $1.4 million in both cash and cryptocurrency.
Collectively, these employment fraud schemes impacted more than 136 U.S. companies, generated over $2.2 million for the North Korean regime, and compromised the identities of at least 18 American citizens.
In a related financial recovery effort, the U.S. government has moved to seize more than $15 million in cryptocurrency stolen in 2023 by APT38, also known as the Lazarus Group. The funds were taken from virtual currency payment processors and exchanges based in Estonia, Panama, and Seychelles. Investigators successfully tracked a portion of these assets across various exchanges and mixing services, freezing them before they could be moved again. Authorities intend to return the $15 million to the original victims from which the funds were stolen.
(Source: HelpNet Security)