The U.S. Department of Justice (DoJ) on Friday announced that five individuals have pleaded guilty to assisting North Korea’s illicit revenue generation schemes by enabling information technology (IT) worker fraud in violation of international sanctions.
The five individuals are listed below –
- Audricus Phagnasay, 24
- Jason Salazar, 30
- Alexander Paul Travis, 34
- Oleksandr Didenko, 28, and
- Erick Ntekereze Prince, 30
Phagnasay, Salazar, and Travis pleaded guilty to one count of wire fraud conspiracy for knowingly allowing IT workers located outside of the U.S. to use their U.S. identities between about September 2019 and November 2022 and secure jobs at American firms.
The three defendants also served as facilitators, hosting the company-issued laptops at their residences and installing remote desktop software on those machines without authorization so that the IT workers could connect to them and give the impression that they were working remotely within the U.S.
Furthermore, the trio is said to have aided the overseas IT workers in passing employer vetting procedures, with Salazar and Travis taking it to the next level by appearing for drug testing on behalf of them. Travis, then an active-duty member of the U.S. Army, received at least $51,397 for his role in the fraudulent scheme. Phagnasay and Salazar are said to have earned at least $3,450 and $4,500, respectively.
Didenko, whose arrest was disclosed by the DoJ back in May 2025, has pleaded guilty to wire fraud conspiracy and aggravated identity theft for stealing the identities of U.S. citizens and selling them to IT workers so that they could land jobs at 40 U.S. companies. Didenko has also agreed to forfeit more than $1.4 million.
“Didenko ran a website using a U.S.-based domain, ‘Upworksell.com,’ designed to help overseas IT workers buy or rent stolen or borrowed identities,” the DoJ said. “Beginning in 2021, the IT workers used the identities to get hired on online freelance work platforms based in California and Pennsylvania.”
The Ukrainian national also paid individuals in the U.S. to receive and host laptops, turning their homes into laptop farms for the IT workers. One such laptop farm was operated by Christina Marie Chapman in Arizona. Didenko’s site has since been seized. Chapman was sentenced to 8.5 years in prison in July 2025.
Didenko is estimated to have managed as many as 871 proxy identities and facilitated the operation of at least three U.S.-based laptop farms. He also enabled his overseas clients to access Money Service Transmitters rather than having to physically open an account at a U.S. bank to transfer the employment income to foreign bank accounts.
Rounding off the list is Prince, who has pleaded guilty to one count of wire fraud conspiracy for allegedly operating a company called Taggcar Inc. from approximately June 2020 through August 2024 to supply “certified” IT workers to U.S. companies and for running a laptop at his home in Florida. Prince earned more than $89,000 for his involvement in the IT worker fraud.
It’s worth noting that Prince, along with Pedro Ernesto Alonso De Los Reyes, Emanuel Ashtor, and Jin Sung-Il (진성일), Pak Jin-Song (박진성), were indicted earlier this January for allegedly allowing North Korean IT workers to obtain work at more than 64 U.S. companies.
The scheme netted more than $943,069 in salary payments, most of which were funneled back to the IT workers overseas. Ashtor is currently awaiting trial, and De Los Reyes is pending extradition from the Netherlands.
“In total, these defendants’ fraudulent employment schemes impacted more than 136 U.S. victim companies, generated more than $2.2 million in revenue for the [Democratic People’s Republic of Korea] regime, and compromised the identities of more than 18 U.S. persons,” the DoJ said.
In a set of related actions, the DoJ said it has also filed two civil complaints to forfeit cryptocurrency valued at more than $15 million that the U.S. Federal Bureau of Investigation (FBI) seized in March 2025 from APT38 (aka BlueNoroff) actors. The digital assets, the complaints allege, were illegally obtained through hacks at overseas virtual currency platforms –
- Theft of approximately $37 million from an Estonia-based virtual currency payments processor in July 2023
- Theft of approximately $100 million from a Panama-based virtual currency payment processor in July 2023
- Theft of approximately $138 million from a Panama-based virtual currency exchange in November 2023, and
- Theft of approximately $107 million in virtual currency from a Seychelles-based virtual currency exchange in November 2023
“Efforts to trace, seize, and forfeit related stolen virtual currency remain ongoing, as the APT38 actors continue to launder such funds through various virtual currency bridges, mixers, exchanges, and over-the-counter traders,” the department added.
The new round of guilty pleas is the latest effort on the part of the U.S. government to combat and disrupt North Korea’s IT worker and hacking schemes, which have been used to fund the regime’s priorities. For several years, North Korea has successfully infiltrated hundreds of Western companies and elsewhere, posing as remote IT workers to draw steady salaries and use them to fund its nuclear weapons program.
A couple of weeks ago, the U.S. Treasury Department levied sanctions against eight individuals and two entities within North Korea’s global financial network for laundering money for various illicit schemes, including cybercrime and IT worker fraud.
