The Justice Department said four of the defendants are US nationals who played direct roles in helping the workers hide their identities, pass screening checks, and gain access to jobs they were never supposed to hold. Their actions opened the door for North Korean IT workers to earn millions from unsuspecting firms across the country.
Authorities said one of them, 30-year-old Erick Ntekereze Prince, used his own company as a gateway. Prince supplied what he claimed were certified IT workers to US companies. Yet investigators found that he knew the workers were using false or stolen identities. He even hosted laptops from victim firms at locations in Florida to make it appear as if the workers were operating inside the United States when they were actually overseas.
Prince earned more than 89000 dollars through the scheme. Prosecutors said his part of the operation targeted 64 US companies and helped North Korean IT workers collect more than 900000 dollars in salary payments. The DOJ added that Prince was among several individuals charged in early 2025 for assisting the workers in securing jobs through deception and identity fraud.
The three other Americans who pleaded guilty are 24-year-old Audricus Phagnasay, 34-year-old Alexander Paul Travis, and 30-year-old Jason Salazar. Investigators said they provided their personal identities to the fake IT workers between 2019 and 2022 and helped them move past standard employee checks. Their support included letting the workers use their names and also helping them pass drug tests and other screening steps that would normally flag irregular activity.
Authorities noted that Travis was an active-duty US Army member while he took part in the scheme. Travis earned more than 51000 dollars, while Salazar and Phagnasay made a few thousand dollars each. In total, the scheme helped the North Korean IT workers earn about 1.28 million dollars from US companies during that period.
Each of the four US nationals pleaded guilty to one count of wire fraud conspiracy. Their pleas highlight how easily North Korean IT workers can slip into US employment pipelines when insiders support them. The DOJ said the workers accessed systems, handled internal tasks, and collected salaries just like legitimate hires, all while secretly working for the regime.
The fifth defendant is Ukrainian national Oleksandr Didenko. He pleaded guilty to one count of wire fraud conspiracy and one count of aggravated identity theft. Prosecutors said Didenko agreed to forfeit more than 1.4 million dollars as part of his plea.
Didenko was arrested in Poland in 2024 and later extradited. Investigators said he helped North Korean IT workers secure jobs at 40 US companies, supporting hiring pipelines that generated hundreds of thousands of dollars for the workers. The DOJ added that Didenko’s network operated quietly for years and relied on a steady supply of forged or stolen identities.
Overall, the Justice Department said the five defendants helped the workers trick more than 136 companies into hiring them. The activity generated more than 2.2 million dollars for North Korea. Officials said the money was part of a larger effort by Pyongyang to build income streams outside traditional sanctions. These networks help fund weapons programs and other state operations.
North Korea is believed to deploy thousands of highly skilled IT workers abroad. They often pose as freelance developers or remote employees. Although they appear independent on the surface, the DOJ said most are tied to state-directed revenue programs. These workers are estimated to generate hundreds of millions of dollars each year by blending into global IT markets and taking remote technical roles worldwide.
The Justice Department also revealed a separate action linked to North Korean cyber activity. Officials announced civil complaints seeking the forfeiture of more than 15 million dollars in USDT cryptocurrency. The funds were seized by the FBI in March 2025 from a North Korean threat group known as APT38, which is also called Lazarus.
Investigators said Lazarus remains one of the most active and dangerous cyber groups linked to North Korea. The group has been responsible for high-profile thefts across the global financial system, including attacks on cryptocurrency exchanges, payment systems, and banks. The seized USDT was tied to laundering operations that moved stolen funds into accounts controlled by the group.
The DOJ said these actions show how North Korea uses a mix of IT workers, cyber operatives, and financial laundering networks to bypass sanctions. The guilty pleas offer a rare inside look at how the workers gain access to US employment systems. They also show how individuals inside the United States can become crucial points of entry, sometimes for small payouts that seem insignificant next to the overall scale of the scheme.
Officials added that the cases remain part of a broader investigation. More companies have come forward, and federal agencies are reviewing hiring practices and remote-work security policies. The DOJ said North Korean IT workers often use legitimate hiring platforms. They may even pass interviews and technical tests with ease because many are highly trained and experienced.
The scheme exploited weaknesses in remote-work verification. Many companies rely on digital onboarding tools. Some trust login locations or VPN signals without deeper checks. The workers were sometimes able to appear as if they were connecting from inside the United States because laptops were physically hosted at US locations by the defendants.
Authorities said this type of activity will likely continue unless firms strengthen identity checks and require more robust verification of remote employees. The DOJ encouraged businesses to be more cautious when hiring remote IT workers, especially when the applicant’s identity or location cannot be confirmed through reliable methods.
The guilty pleas mark a significant step in the US response to North Korea’s global IT operations. Yet investigators said the underlying threat remains active. As long as North Korea continues to rely on overseas workers and cyber operations to generate revenue, US companies will remain targets. The DOJ said the recent cases will likely lead to more arrests and more pressure on individuals who knowingly help foreign operatives hide inside legitimate job pipelines.
