US DOJ Seeks to Seize $15M in USDT Tied to North Korean Hackers

A Major Blow to DPRK’s Crypto-Fueled Sanctions Evasion

In a significant escalation of efforts to disrupt North Korea’s illicit revenue streams, the U.S. Department of Justice (DOJ) has filed civil forfeiture complaints seeking to permanently seize over $15 million in Tether’s USDT stablecoin, linked to a notorious North Korean hacking group known as Advanced Persistent Threat 38 (APT38). The funds, originally stolen in a series of high-profile cryptocurrency heists in 2023, were initially seized by the FBI in March 2025 as part of ongoing investigations into Pyongyang’s cyber operations. This action, announced on November 14, 2025, underscores the U.S. government’s intensifying focus on cryptocurrency’s role in sanctions evasion, with APT38—a subunit of North Korea’s Reconnaissance General Bureau—responsible for multimillion-dollar thefts that fund the regime’s weapons programs.

The DOJ’s filings represent one of the largest crypto seizures tied to state-sponsored hacking in recent years, building on a pattern of aggressive enforcement that has already repatriated hundreds of millions in stolen assets. As North Korean actors continue to launder proceeds through virtual currency bridges, mixers, exchanges, and over-the-counter traders, this forfeiture—combined with five new guilty pleas from U.S. citizens aiding DPRK IT worker schemes—signals a multi-pronged assault on the regime’s “illicit money machine.” In a cryptocurrency market stabilizing at a $3.57 trillion cap amid Bitcoin’s consolidation above $103,000, these developments highlight the dual-edged nature of digital assets: Tools for innovation, but also enablers of global crime.

The Heists and Seizure: APT38’s 2023 Rampage

APT38, also tracked as TraderTraitor by cybersecurity firms like Mandiant, specializes in cryptocurrency platform breaches, using sophisticated malware and social engineering to siphon funds that bypass international sanctions. The DOJ’s complaints detail two tranches of USDT tied to APT38’s 2023 exploits:

• October 24, 2025 Filing (Case 1:25-cv-03771): Forfeiture of 1,159,834.52 USDT (approximately $1.16 million at current rates), traced to a single heist.
• November 14, 2025 Filing (Case 1:25-cv-03943): Forfeiture of 13,980,951.103 USDT (approximately $13.98 million), connected to multiple breaches.

These assets stem from four major overseas virtual currency platform hacks in 2023, including the $100 million Poloniex breach in November, the $37 million CoinsPaid attack in July, the $100 million Alphapo payments exploit, and a $138 million theft from a Panama-based exchange. The FBI’s seizure in March 2025 disrupted APT38’s laundering efforts, freezing the USDT before it could be fully converted or dispersed. Assistant Attorney General for National Security John A. Eisenberg emphasized: “These actions demonstrate the department’s comprehensive approach to disrupting North Korean efforts to finance their weapons program on the backs of Americans.”

The broader context of North Korean crypto crime is staggering: Hackers stole over $2 billion in cryptocurrency in 2025 alone, per Elliptic, making the DPRK one of the most prolific cybercriminal states globally. APT38’s operations, part of the Reconnaissance General Bureau, have targeted exchanges and DeFi protocols since 2018, using stolen funds to procure luxury goods, military tech, and sanctions-evasive services.

Data from DOJ filings and Elliptic reports; totals approximate in USD at theft time.

The Guilty Pleas: U.S. Enablers in DPRK IT Worker Scheme

In tandem with the forfeiture, the DOJ secured five guilty pleas on November 14 from U.S. citizens accused of facilitating a North Korean remote IT worker scheme. These individuals allegedly helped DPRK nationals—posing as legitimate freelancers—secure jobs at over 136 U.S. companies, generating $10 million+ in revenue for the regime between 2020 and 2025. The scheme, dubbed “Operation ChimpOut,” involved identity theft, resume fraud, and data exfiltration, with victims including tech firms in California and New York.

Charged defendants include John Prince, Emanuel Ashtor, and Pedro Ernesto Alonso de los Reyes, indicted in January 2025 for conspiracy to commit wire fraud. Ashtor, a U.S. national, pleaded guilty to aiding 64+ companies in hiring fake workers, while Alonso de los Reyes faced charges for Mexican-based facilitation. Sentences are pending, but each faces up to 20 years. FBI Deputy Assistant Director Gregory A. Heeb stated: “North Korean IT workers aren’t just stealing jobs—they’re stealing data to fund missiles.”

This crackdown is part of the DOJ’s DPRK RevGen: Domestic Enabler Initiative, launched in 2024, which has led to 20+ indictments and $500 million in asset freezes. The pleas highlight the human element: DPRK workers, often coerced, infiltrated firms via LinkedIn and Upwork, exfiltrating proprietary data worth millions.

Broader Implications: Disrupting Pyongyang’s Crypto Pipeline

The DOJ’s actions extend beyond seizures, aiming to starve North Korea’s $3 billion annual crypto theft operations—funding 50% of its weapons program, per UN estimates. By targeting enablers and laundering infrastructure, the U.S. is choking DPRK’s access to fiat and tech, with 2025 thefts already at $2 billion (Elliptic). Stablecoins like USDT, used in 62% of illicit flows, face heightened scrutiny, potentially boosting compliant alternatives like USDC.

Global echoes: The UK’s $6.7 billion BTC seizure from a Chinese Ponzi in November 2025 and US-UK Scam Center Strike Force (dismantling 3,000+ sites) show coordinated resolve. For crypto markets, it’s bittersweet: Enhanced AML (e.g., MiCA in EU) builds trust but risks overreach on DEXs. X sentiment: “DOJ’s $15M USDT grab = DPRK’s crypto empire crumbles” (@Chainalysis, 850 likes).

In a $3.57 trillion market, this forfeiture isn’t just justice—it’s a signal: Blockchain’s transparency aids enforcement, turning thieves’ tools against them. Victims reclaim; regimes reckon.