UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
UNITED STATES OF AMERICA,
Plaintiff, Case No. 25-cv-34 (JMC)
v.
APPROXIMATELY 1,467,761.163191 USDT,
Defendant in rem.
MEMORANDUM OPINION
The United States brought this forfeiture action in rem against approximately
1,467,761.163191 USDT (Defendant Property). The Government argues that the Defendant
Property is subject to seizure and forfeiture under 18 U.S.C. § 981(a)(1)(C) and 28 U.S.C.
§ 2461(c) as property “which constitutes or is derived from proceeds traceable” to identity theft,
computer fraud and abuse, wire fraud, money laundering, and other related offenses. ECF 12-2
¶¶ 66–70. The Government has satisfied the requisite notice requirements, yet potential claimants
have failed to appear or defend this action. The Clerk of Court entered default, and the Government
now moves for an entry of default judgment. The Court finds that the Government has
demonstrated its entitlement to such judgment and GRANTS the motion.1
I. FACTUAL BACKGROUND
This case arises out of an FBI investigation of a cryptocurrency heist perpetuated by North
Korean hackers against a company registered in the British Virgin Islands and headquartered in
1 Unless otherwise indicated, the formatting of citations has been modified throughout this opinion, for example, by omitting internal quotation marks, emphases, citations, and alterations and by altering capitalization. All pincites to documents filed on the docket in this case are to the automatically generated ECF Page ID number that appears at the top of each page.
1 Australia. ECF 12-2 ¶ 35. The hackers used U.S.-based computer infrastructure to create accounts
for false online personas, including two personas known as John Rafman and Andrychuk Lu. Id.
¶¶ 39–40. Once hired by Company 1, Rafman, Lu, and others used their inside access to steal
cryptocurrency, including the Defendant Property. Id. ¶ 33. Specifically, Company 1 gave Rafman
the “master key” for two vaults, which contained smart contracts on various blockchains. Id. ¶ 40.
Rafman presumably shared the master key with Lu. On March 15, 2024, Lu used the master key
access to execute a function on Company 1’s master smart contract that initiated “an unauthorized
transfer of virtual currency assets from the . . . vaults, belonging to Company 1, to wallets
controlled by the North Korean IT workers.” Id. ¶¶ 32, 44. To use their Company 1 email accounts,
the North Korean hackers used a U.S.-based Internet Protocol (IP) address that they accessed
through a virtual private network (VPN) service. Id. ¶ 34. The hackers accessed their email
accounts from the U.S. IP address “at least 23 times” between October 5, 2023, and March 15,
2024. Id. ¶ 60. The Company 1-provided email addresses were hosted by Google and the U.S. IP
address was “controlled by the U.S.-based internet service provider Quadranet,” likely passing
through datacenters within the United States. Id.
As the Government represents, “[t]he Defendant Property represents a majority of the funds
traceable to the March 2024 exploit and theft of funds from Company 1.” Id. ¶ 38. On or about
April 1, 2024, the FBI seized various cryptocurrencies as part of this investigation, including the
1,467,761.163191 USDT that constitutes the Defendant Property. Id. ¶ 62. The Defendant Property
was transferred into an FBI-controlled virtual currency wallet and is now in possession of the U.S.
Marshals Service. Id. ¶¶ 63–64.
2 II. PROCEDURAL HISTORY
On January 6, 2025, the Government filed a verified complaint asserting a civil forfeiture
action in rem against the Defendant Property. ECF 1. One day later, the Court made a probable
cause finding and issued a warrant for arrest in rem with regards to the Defendant Property. ECF 3.
On February 6, 2025, the Government commenced notification of this forfeiture online at
forfeiture.gov for thirty consecutive days. ECF 5-1 at 1. Verified claims in response to this notice
were due no later than April 6, 2025. ECF 9 ¶ 3. No claims based on publication were filed. Id.
The Government also sent direct notice to all nine interested parties in the Defendant Property on
January 15, 2025. Id. ¶ 13; ECF 9-1; ECF 9-2; ECF 9-3; ECF 9-4.
On June 6, 2025, the Government moved for default judgment. ECF 9. In October 2025,
the Court ordered the Government to file a supplemental memorandum with the Court detailing
the factual and legal bases for finding that the Defendant Property had the necessary nexus with
the United States to satisfy the elements of the underlying criminal statutes. Oct. 16, 2025 Min.
Order. The Government filed its supplemental memorandum for default judgment and an amended
verified complaint, to incorporate the additional information the Court requested, on December
22, 2025. ECF 12-2; ECF 13.
III. LEGAL STANDARD
The Federal Rules of Civil Procedure authorize a district court to enter default judgment
against a defendant who fails to defend its case. Fed. R. Civ. P. 55(b)(2). “Obtaining a default
judgment is a two-step process.” United States v. Twenty-Four Cryptocurrency Accts., 473 F.
Supp. 3d 1, 4 (D.D.C. 2020); see Fed. R. Civ. P. 55(a)–(b). First, a plaintiff must request the Clerk
of the Court to enter default against a party who “has failed to plead or otherwise defend.” Fed. R.
Civ. P. 55(a). Second, the plaintiff must move for default judgment. Fed. R. Civ. P. 55(b). Whether
3 default judgment is appropriate is “committed to the sound discretion of” the trial court. Boland v.
Yoccabel Constr. Co., 293 F.R.D. 13, 17 (D.D.C. 2013). A defendant’s failure to respond “does
not automatically entitle plaintiff to a default judgment.” United States v. $6,999,925.00 of Funds
Associated with Velmur Mgmt. Pte. Ltd., 368 F. Supp. 3d 10, 17 (D.D.C. 2019). The complaint
must still plead sufficient allegations which, when taken as true, state a claim for relief for the
plaintiff to be entitled to default judgment. Id.
Here, the Government seeks default judgment in a civil forfeiture action in rem. Rule G of
the Supplemental Rules for Admiralty or Maritime Claims and Asset Forfeiture Actions
(Supplemental Rules) set forth the pleading requirements for such an action. First, Supplemental
Rule G(1) requires that a forfeiture action in rem properly “aris[e] from a federal statute.” Fed. R.
Civ. P. Supp. R. G(1). Next, Supplemental Rule G(2) requires that a complaint must (a) be verified;
(b) state the grounds for the court’s jurisdiction; (c) describe the property with “reasonable
particularity”; (d) if the property is tangible, identify where the property was seized or else “its
location when the action is filed”; (e) identify the statutory cause of action; and (f) “state
Free access — add to your briefcase to read the full text and ask questions with AI
UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
UNITED STATES OF AMERICA,
Plaintiff, Case No. 25-cv-34 (JMC)
v.
APPROXIMATELY 1,467,761.163191 USDT,
Defendant in rem.
MEMORANDUM OPINION
The United States brought this forfeiture action in rem against approximately
1,467,761.163191 USDT (Defendant Property). The Government argues that the Defendant
Property is subject to seizure and forfeiture under 18 U.S.C. § 981(a)(1)(C) and 28 U.S.C.
§ 2461(c) as property “which constitutes or is derived from proceeds traceable” to identity theft,
computer fraud and abuse, wire fraud, money laundering, and other related offenses. ECF 12-2
¶¶ 66–70. The Government has satisfied the requisite notice requirements, yet potential claimants
have failed to appear or defend this action. The Clerk of Court entered default, and the Government
now moves for an entry of default judgment. The Court finds that the Government has
demonstrated its entitlement to such judgment and GRANTS the motion.1
I. FACTUAL BACKGROUND
This case arises out of an FBI investigation of a cryptocurrency heist perpetuated by North
Korean hackers against a company registered in the British Virgin Islands and headquartered in
1 Unless otherwise indicated, the formatting of citations has been modified throughout this opinion, for example, by omitting internal quotation marks, emphases, citations, and alterations and by altering capitalization. All pincites to documents filed on the docket in this case are to the automatically generated ECF Page ID number that appears at the top of each page.
1 Australia. ECF 12-2 ¶ 35. The hackers used U.S.-based computer infrastructure to create accounts
for false online personas, including two personas known as John Rafman and Andrychuk Lu. Id.
¶¶ 39–40. Once hired by Company 1, Rafman, Lu, and others used their inside access to steal
cryptocurrency, including the Defendant Property. Id. ¶ 33. Specifically, Company 1 gave Rafman
the “master key” for two vaults, which contained smart contracts on various blockchains. Id. ¶ 40.
Rafman presumably shared the master key with Lu. On March 15, 2024, Lu used the master key
access to execute a function on Company 1’s master smart contract that initiated “an unauthorized
transfer of virtual currency assets from the . . . vaults, belonging to Company 1, to wallets
controlled by the North Korean IT workers.” Id. ¶¶ 32, 44. To use their Company 1 email accounts,
the North Korean hackers used a U.S.-based Internet Protocol (IP) address that they accessed
through a virtual private network (VPN) service. Id. ¶ 34. The hackers accessed their email
accounts from the U.S. IP address “at least 23 times” between October 5, 2023, and March 15,
2024. Id. ¶ 60. The Company 1-provided email addresses were hosted by Google and the U.S. IP
address was “controlled by the U.S.-based internet service provider Quadranet,” likely passing
through datacenters within the United States. Id.
As the Government represents, “[t]he Defendant Property represents a majority of the funds
traceable to the March 2024 exploit and theft of funds from Company 1.” Id. ¶ 38. On or about
April 1, 2024, the FBI seized various cryptocurrencies as part of this investigation, including the
1,467,761.163191 USDT that constitutes the Defendant Property. Id. ¶ 62. The Defendant Property
was transferred into an FBI-controlled virtual currency wallet and is now in possession of the U.S.
Marshals Service. Id. ¶¶ 63–64.
2 II. PROCEDURAL HISTORY
On January 6, 2025, the Government filed a verified complaint asserting a civil forfeiture
action in rem against the Defendant Property. ECF 1. One day later, the Court made a probable
cause finding and issued a warrant for arrest in rem with regards to the Defendant Property. ECF 3.
On February 6, 2025, the Government commenced notification of this forfeiture online at
forfeiture.gov for thirty consecutive days. ECF 5-1 at 1. Verified claims in response to this notice
were due no later than April 6, 2025. ECF 9 ¶ 3. No claims based on publication were filed. Id.
The Government also sent direct notice to all nine interested parties in the Defendant Property on
January 15, 2025. Id. ¶ 13; ECF 9-1; ECF 9-2; ECF 9-3; ECF 9-4.
On June 6, 2025, the Government moved for default judgment. ECF 9. In October 2025,
the Court ordered the Government to file a supplemental memorandum with the Court detailing
the factual and legal bases for finding that the Defendant Property had the necessary nexus with
the United States to satisfy the elements of the underlying criminal statutes. Oct. 16, 2025 Min.
Order. The Government filed its supplemental memorandum for default judgment and an amended
verified complaint, to incorporate the additional information the Court requested, on December
22, 2025. ECF 12-2; ECF 13.
III. LEGAL STANDARD
The Federal Rules of Civil Procedure authorize a district court to enter default judgment
against a defendant who fails to defend its case. Fed. R. Civ. P. 55(b)(2). “Obtaining a default
judgment is a two-step process.” United States v. Twenty-Four Cryptocurrency Accts., 473 F.
Supp. 3d 1, 4 (D.D.C. 2020); see Fed. R. Civ. P. 55(a)–(b). First, a plaintiff must request the Clerk
of the Court to enter default against a party who “has failed to plead or otherwise defend.” Fed. R.
Civ. P. 55(a). Second, the plaintiff must move for default judgment. Fed. R. Civ. P. 55(b). Whether
3 default judgment is appropriate is “committed to the sound discretion of” the trial court. Boland v.
Yoccabel Constr. Co., 293 F.R.D. 13, 17 (D.D.C. 2013). A defendant’s failure to respond “does
not automatically entitle plaintiff to a default judgment.” United States v. $6,999,925.00 of Funds
Associated with Velmur Mgmt. Pte. Ltd., 368 F. Supp. 3d 10, 17 (D.D.C. 2019). The complaint
must still plead sufficient allegations which, when taken as true, state a claim for relief for the
plaintiff to be entitled to default judgment. Id.
Here, the Government seeks default judgment in a civil forfeiture action in rem. Rule G of
the Supplemental Rules for Admiralty or Maritime Claims and Asset Forfeiture Actions
(Supplemental Rules) set forth the pleading requirements for such an action. First, Supplemental
Rule G(1) requires that a forfeiture action in rem properly “aris[e] from a federal statute.” Fed. R.
Civ. P. Supp. R. G(1). Next, Supplemental Rule G(2) requires that a complaint must (a) be verified;
(b) state the grounds for the court’s jurisdiction; (c) describe the property with “reasonable
particularity”; (d) if the property is tangible, identify where the property was seized or else “its
location when the action is filed”; (e) identify the statutory cause of action; and (f) “state
sufficiently detailed facts to support a reasonable belief that the government will be able to meet
its burden of proof at trial.” Fed. R. Civ. P. Supp. R. G(2). Finally, before default judgment is
issued for forfeiture in rem, “the government must show that it complied with the notice
requirements contained in the Supplemental Rules.” United States v. $1,071,251.44 of Funds
Associated with Mingzheng Int’l Trading Ltd., 324 F. Supp. 3d 38, 46 (D.D.C. 2018); see Fed. R.
Civ. P. Supp. R. G(4).
IV. ANALYSIS
The Court finds that default judgment is warranted. As discussed in greater detail below,
(a) the Government complied with notice requirements; and (b) the verified complaint contains
4 sufficient information to support a finding by the preponderance of the evidence that forfeiture of
the Defendant Funds is appropriate under 18 U.S.C. § 981(a)(1)(C) and 28 U.S.C. § 2461(c). ECF
12-2 ¶ 11.
A. Notice
Before the Court enters default judgment, the Government must show that it complied with
the notice requirements in the Supplemental Rules. Supplemental Rule G requires two forms of
notice in a forfeiture action in rem: notice via publication as well as direct notice to potential
claimants. See Fed. R. Civ. P. Supp. R. G(4)(a), (b). Here, the Government has satisfied its
obligation as to both publication and direct notice.
First, the Government provided publication notice. Publication notice requires the
Government to “describe the property, state the time to file a claim and answer, and name the
government attorney to be served with the claim and answer.” Cryptocurrency Accts., 473 F. Supp.
3d at 5 (citing Fed. R. Civ. P. Supp. R. G(4)(a)(ii)). Such notice can be published “on an official
internet government forfeiture site for at least 30 consecutive days.” Fed. R. Civ. P. Supp. R.
G(4)(a)(iv)(C). In this case, the Government published a notice of forfeiture online at
http://www.forfeiture.gov on February 6, 2025. ECF 9 ¶ 12. The publication contained all the
required information and was publicly available for thirty consecutive days. ECF 5-1 at 2–3. No
claims based on publication were filed.
Second, the Government satisfied the direct notice requirement. Direct notice must be sent
“to any person who reasonably appears to be a potential claimant.” Fed. R. Civ. P. Supp. R.
G(4)(b)(i). Actual notice is not required, but the government must send direct notice “by means
reasonably calculated to reach the potential claimant.” Id. G(4)(b)(iii)(A). When the government
attempts to provide notice and “hear[s] nothing back indicating that anything ha[s] gone awry,”
5 then it is reasonable to assume that service was effective. Jones v. Flowers, 547 U.S. 220, 226
(2006). On January 15, 2025, the Government represents that it sent notice to all nine interested
parties in this case via e-mail. ECF 9 ¶ 13; ECF 9-1; ECF 9-2; ECF 9-3; ECF 9-4. By ensuring that
each identified potential claimant had at least one unreturned mailing, the Government has
satisfied its burden to provide direct notice of this action and met all the notice requirements.
B. Adequacy of Complaint
As described above, default judgment in a civil forfeiture action in rem requires the
Government to fulfill two requirements. First, the Government must demonstrate that its forfeiture
action adequately “aris[es] from a federal statute.” Fed. R. Civ. P. Supp. R. G(1). Second, its
complaint must satisfy the six elements set forth in Supplemental Rule G(2): “(a) be verified; (b)
state the grounds for subject-matter jurisdiction, in rem jurisdiction over the defendant property,
and venue; (c) describe the property with reasonable particularity; (d) if the property is tangible,
state its location when any seizure occurred and—if different—its location when the action is filed;
(e) identify the statute under which the forfeiture action is brought; and (f) state sufficiently
detailed facts to support a reasonable belief that the government will be able to meet its burden at
trial.” Rule G(1) effectively collapses into (G)(2)’s requirements, so the Court addresses the Rules
collectively below.
The Government has filed a verified compliant “identifying the statute under which the
forfeiture action was brought and describing the Defendant Propert[y] in extensive detail.”
Cryptocurrency Accts., 473 F. Supp. 3d at 6–7; ECF 12-2 ¶¶ 62–70 (describing the funds that
constitute the Defendant Property, where the funds were transferred, and the statutory provisions
under which forfeiture is sought). The Court also finds that the complaint properly establishes the
bases for subject-matter jurisdiction and venue. Under 28 U.S.C. § 1355(a), district courts “have
6 original jurisdiction . . . of any action or proceeding for . . . forfeiture, pecuniary or otherwise,
incurred under any Act of Congress”—in this case, 18 U.S.C. § 981. Further, under 28 U.S.C.
§ 1345, “the district courts shall have original jurisdiction of all civil actions, suits or proceedings
commenced by the United States.” This being a civil forfeiture action initiated by the United States,
the Court is satisfied that it has subject-matter jurisdiction. Additionally, venue can be established
under 28 U.S.C. § 1395(b) and (c). Under 28 U.S.C. § 1395(b), a civil proceeding for forfeiture
“may be prosecuted in any district where such property is found” and, under subsection (c), “[a]
civil proceeding for the forfeiture of property seized outside any judicial district may be prosecuted
in any district into which the property is brought.” Because the Defendant Property was seized
outside of any judicial district and is now under the control of the U.S. Marshals Service in this
district, the Court finds that venue is proper here. ECF 12-2 ¶¶ 63–64. Finally, the Court finds that
it has in rem jurisdiction over the Defendant Property held by the U.S. Marshals Service. See
United States v. All Assets Held in Acct. No. XXXXXXXX, 330 F. Supp. 3d 150, 156 (D.D.C. 2018)
(“Traditionally, when exercising in rem jurisdiction, the defendant property is physically present
within the court’s territorial jurisdiction.”); United States v. $299,218.48 in U.S. Currency, 742 F.
Supp. 3d 1, 6 (D.D.C. 2024) (“The defendant funds are located within this court’s territorial
jurisdiction because DHS transferred them to an account in Washington, D.C. after their seizure.”).
The final element is whether the Government has alleged sufficient facts in its complaint
to “support a reasonable belief that the government will be able to meet its burden of proof at trial.”
Fed. R. Civ. P. Supp. R. G(2)(f); see Mingzheng Int’l Trading, 324 F. Supp. 3d at 41 (interpreting
this rule to require that the complaint “establish a reasonable belief that the government could
prove by a preponderance of the evidence that [Defendant Property is] subject to civil in rem
forfeiture”). Supplemental Rule G(2) “does not articulate an onerous standard,” but instead
7 establishes a “low bar” that is appropriate at the default judgment stage “where a court should
exercise greater flexibility in judging factual allegations.” Mingzheng Int’l Trading, 324 F. Supp.
3d at 51–52.
The complaint satisfies this low bar. The Government alleges, among other bases, that the
Defendant Property is subject to forfeiture pursuant to 18 U.S.C. § 981(a)(1)(C) and 28 U.S.C.
§ 2461(c) because it is property “constituting or derived from proceeds traceable to” wire fraud
under 18 U.S.C. § 1343. ECF 12-2 ¶ 66. The wire fraud statute requires that a defendant “transmit[]
or cause[] to be transmitted” a wire transmission “in interstate or foreign commerce . . . for the
purpose of executing [the] scheme or artifice” to defraud. 18 U.S.C. § 1343. It is well-established
that the wire “transfer need not be the scheme’s objective; it need only be a step in the plot.” United
States v. White, 737 F.3d 1121, 1129 (7th Cir. 2013).
The complaint describes in detail a scheme by North Korean hackers to illicitly access the
Defendant Property through the use of U.S.-based computer infrastructure, including by using a
VPN to lease a U.S. IP address. In doing so, the perpetrators transmitted wire communications in
interstate or foreign commerce as part of their scheme to defraud Company 1. Specifically, the
hackers “leased U.S. IP addresses from U.S. internet service provider Quadranet . . . to effectuate
their criminal scheme.” ECF 13 at 22. During the course of the heist, from about October 5, 2023,
to March 15, 2024, the hackers accessed their Company 1 email addresses from their U.S.-based
IP address at least 23 times, including four logins on the day of the heist. Id. at 23. The hackers’
fraudulent use of the U.S. IP address to send emails constituted transmissions in interstate or
foreign commerce as part of their scheme to gain access to Company 1’s vaults. Id.; see United
States v. Jameson, 371 F. App’x 963, 966 (10th Cir. 2010) (holding that downloading and sending
images from a specific U.S.-based IP address satisfied the statutory requirement of
8 communications in interstate or foreign commerce); United States v. Wasson, 426 F. Supp. 3d 822,
830 (D. Kan. 2019) (holding that use of a U.S.-based IP address and Google account constituted
uses of facilities of interstate commerce). Accordingly, the Government has met its burden to show
that it could prove at trial that the Defendant Property constitutes the proceeds of wire fraud under
18 U.S.C. § 1343 and is forfeitable under 18 U.S.C. § 981(a)(1)(C).
The Court finds that the Government has thus met its burden under Supplemental Rule
G(2) and alleged facts sufficient to establish a reasonable belief that it would be able to prove its
forfeiture claim by a preponderance of the evidence. As a result, both Supplemental Rules G(1)
and G(2) are satisfied.
* * *
Because the verified complaint states a claim for forfeiture in rem pursuant to Supplemental
Rules G(1) and G(2), the Government has complied with the notice requirements of Supplemental
Rule G(4), and no claimant has appeared in this action, the Government’s motion for default
judgment, as supplemented, is GRANTED. It is further ORDERED:
1. That default judgment is hereby entered against all persons or entities claiming an
interest in the Defendant Property;
2. That the Defendant Property shall be forfeited to the United States of America and no
right, title, or interest in the following property shall exist in any other entity or person;
3. Title to the Defendant Property is vested solely in the United States;
4. That the Defendant Property shall be disposed of according to law; and
5. That no additional action is required, and this matter is dismissed. The Clerk of Court is
directed to close this case.
A separate order accompanies this memorandum opinion.
9 SO ORDERED.
__________________________ JIA M. COBB United States District Judge
Date: February 6, 2026