On Friday, the U.S. Department of Justice (DOJ) announced its latest North Korea crypto seizure: more than $15 million in Tether (USDT) linked to state-backed hackers and a sprawling fake-IT-worker network that burrowed into 100+ American companies.
Alongside the forfeiture actions, five U.S. citizens pleaded guilty for helping North Korean operatives pose as remote IT staff, generate millions in wages, and quietly recycle those funds (and stolen crypto) back to Pyongyang’s weapons programmes.
Inside the latest seizure
The headline number is simple enough: over $15 million in USDT seized via civil forfeiture complaints, tied to multiple 2023 exchange hacks attributed to North Korea’s APT38/Lazarus ecosystem.
Key points:
- The seizure centres on Tether’s USDT, one of the most liquid tokens in the world – and a favourite rail for both legitimate trading and illicit cash-outs.
- The funds are linked to Lazarus Group / APT38, the same DPRK actor set responsible for the Ronin bridge hack (~$620m), Harmony’s Horizon bridge theft (~$100m), and the Stake.com incident (~$41m), among others.
- According to the DOJ and follow-up reporting, the seized USDT traces back to four major 2023 hacks hitting exchanges in Panama, Estonia and Seychelles, with a combined loss of roughly $382 million.
The legal tool of choice is civil forfeiture: the government sues the assets themselves “proceeds of specified unlawful activity” rather than waiting for a criminal conviction of a named individual. It’s faster, controversial, and increasingly central to how the U.S. handles seized crypto, especially when the ultimate owners live in Pyongyang, not New Jersey.
The DOJ says the goal is to:
- Disrupt Pyongyang’s “money machine”, and
- Route recovered funds back to victims, not into a general slush fund.
Whether that remains straightforward in the age of a U.S. Strategic Bitcoin Reserve is another question we’ll come back to.
The fake IT worker factory behind the hacks
Running parallel to the on-chain seizures is the more mundane and arguably more worrying part of the story: North Korea’s fake IT workforce embedded inside Western companies.
The DOJ highlights five recent guilty pleas involving U.S. nationals who:
- Stole and repurposed U.S. identities (names, Social Security numbers, credentials) to front DPRK developers as American freelancers.
- Managed “laptop farms” and residential IP setups so workers in China, Russia, or elsewhere appeared to be logging in from U.S. soil.
- Shepherded payroll flows from at least 100+ U.S. companies (some reporting puts it at 136) into accounts they controlled, before converting proceeds into crypto and forwarding them on.
This isn’t petty grift. Previous DOJ filings from June 2025 describe similar DPRK IT schemes generating millions of dollars and laundering over $7.74 million in crypto via U.S. and offshore exchanges, money service businesses and mixing services.
A long-running campaign of crypto theft
None of this lands out of nowhere.
Various UN panels, analytical firms and law enforcement reports now place DPRK-linked crypto thefts in the multi-billion dollar range, with estimates spanning from roughly $3 billion since 2017 up to $5 billion between 2021 and 2025 when including the latest Bybit-linked mega heist.
What’s different now is the precision of the response.
The June 2025 forfeiture case against $7.74m in laundered DPRK IT-worker crypto was a clear marker that U.S. agencies were willing to chase relatively modest sums if it meant burning the infrastructure.
Stablecoins, strategic reserves and the politics of seized crypto
There’s a broader policy backdrop here that crypto should not ignore.
In March 2025, President Trump signed an executive order creating a U.S. Strategic Bitcoin Reserve and a separate Digital Asset Stockpile, to be funded with forfeited crypto from law-enforcement actions. The idea: don’t auction everything off; hold some seized bitcoin as a sovereign strategic asset instead.
Subsequent comments from Treasury officials suggest that forfeited bitcoin is expected to seed that reserve, with “budget-neutral” strategies to accumulate more over time, i.e. not by buying spot with taxpayer funds.
Where does that leave non-bitcoin assets like USDT seized from DPRK operations? Right now:
- The DOJ and Treasury have been at pains to emphasise victim restitution first, with any reserve or stockpile considerations coming after compensation.
- The Digital Asset Stockpile provides a formal bucket for non-BTC assets, but policy on long-term stablecoin holdings versus liquidation is still evolving.
On one hand, holding confiscated BTC in a strategic reserve arguably aligns public interest (taxpayers keep upside) with enforcement. On the other, there’s an obvious conflict if seizures become a quiet way of feeding the national balance sheet without sufficient oversight or guarantees for victims.
As the reserve architecture hardens, expect more questions about where seized crypto really ends up. At the same time, the enforcement story is drifting steadily from wallets to workplaces: remote IT hiring increasingly functions as critical infrastructure rather than simple admin, with IP checks, device provenance, behavioural monitoring and solid sanctions screening on contractors now central to the risk picture.
And for the industry at large, this crypto seizure underlines a trend we’ve seen building since 2022: state-level cyber ops have fully embraced the crypto stack, and states on the other side are learning to weaponise it back.
Disclaimer
This article is for information and education only and does not constitute investment, legal or tax advice. Always do your own research.
