U.S. Cracks Down on North Korean IT Worker Scheme, Seizing $5 Million in Illicit Funds

29 North Korean laptop farms busted by U.S. Department of Justice -- illicit IT workers across 16 states reportedly obtained employment with more than 100 U.S. companies to help fund regime

IT workers in North Korea are getting jobs at American companies to help fund the country's weapons programs. The Justice Department announced on June 30 its latest hit in the game of geopolitical whac-a-mole against North Korea's nuclear weapons programs. The department said on Monday that it had conducted a series of coordinated actions, including "two indictments, an arrest, searches of 29 known or suspected 'laptop farms' across 16 states, and the seizure of 29 financial accounts used to launder illicit funds and 21 fraudulent websites," after North Korean IT workers "successfully obtained employment with more than 100 U.S. companies" with the help of "individuals in the United States, China, United Arab Emirates, and Taiwan." International sanctions make it practically impossible for North Korea to fund its nuclear programs through legitimate means. But rather than scuttling its efforts to become a nuclear power, the so-called Hermit Kingdom has turned to alternative sources of income, such as stealing billions of dollars worth of cryptocurrency and conducting ransomware operations against organizations in a variety of sectors. The latest scheme involves placing operatives in high-paying jobs at U.S. tech companies. The State Department, Treasury Department, and FBI said (PDF) in 2022 that North Korea "has dispatched thousands of highly skilled IT workers around the world" who "in many cases misrepresent themselves as foreign (non-North Korean) or U.S.-based teleworkers, including by using virtual private networks (VPNs), virtual private servers (VPSs), purchased third-country IP addresses, proxy accounts, and falsified or stolen identification documents" in a bid to evade detection for as long as possible. Yet the revelation of its not-so-secret funding operations hasn't discouraged North Korea. Quite the opposite: "We have observed the North Korean IT worker threat evolve," Google Cloud said in March. "We've detected North Korean IT workers conducting a global expansion beyond the U.S., with a notable focus on Europe. They have also intensified extortion campaigns against employers, and they've moved to conduct operations in corporate virtual desktops, networks, and servers." Politico reported in May that "the scam is more widespread than previously understood and has recently hit many Fortune 500 companies." The problem is probably going to get worse before it gets better, too, with Wired reporting that generative AI has made it even more difficult for companies to determine if they're extending a job offer to a legitimate prospect or a North Korean operative. And help from people in the U.S. can mask other signs that a remote worker isn't above board. The Justice Department said that "certain U.S.-based individuals [allegedly] enabled one of the schemes by creating front companies and fraudulent websites to promote the bona fides of the remote IT workers, and hosted laptop farms where the remote North Korean IT workers could remote access into U.S. victim company-provided laptop computers." It would be suspicious for a supposedly U.S.-based worker to have their laptop shipped outside the country; these "laptop farms" circumvent that issue. Shutting down these operations can help protect companies from North Korean operatives who plan to use their access to private resources to steal intellectual property, provide information that could be useful for more overt cybercrime, and, yes, steal cryptocurrency. (The Justice Department said one undercover worker "stole virtual currency worth approximately over $900,000" from an Atlanta-based company.) The question is how long it'll take for other North Korean IT workers to take their place.

U.S. Arrests Key Facilitator in North Korean IT Worker Scheme, Seizes $7.74 Million

The U.S. Department of Justice (DoJ) on Monday announced sweeping actions targeting the North Korean information technology (IT) worker scheme, leading to the arrest of one individual and the seizure of 29 financial accounts, 21 fraudulent websites, and nearly 200 computers. The coordinated action saw searches of 21 known or suspected "laptop farms" across 14 states in the U.S. that were put to use by North Korean IT workers to remotely connect to victim networks via company-provided laptop computers. "The North Korean actors were assisted by individuals in the United States, China, United Arab Emirates, and Taiwan, and successfully obtained employment with more than 100 U.S. companies," the DoJ said. The North Korean IT worker scheme has become one of the crucial cogs in the Democratic People's Republic of North Korea (DPRK) revenue generation machine in a manner that bypasses international sanctions. The fraudulent operation, described by cybersecurity company DTEX as a state-sponsored crime syndicate, involves North Korean actors obtaining employment with U.S. companies as remote IT workers, using a mix of stolen and fictitious identities. Once they land a job, the IT workers receive regular salary payments and gain access to proprietary employer information, including export controlled U.S. military technology and virtual currency. In one incident, the IT workers are alleged to have secured jobs at an unnamed Atlanta-based blockchain research and development company and stole over $900,000 in digital assets. North Korean IT workers are a serious threat because not only do they generate illegal revenues for the Hermit Kingdom through "legitimate" work, but they also weaponize their insider access to harvest sensitive data, steal funds, and even extort their employers in exchange for not publicly disclosing their data. "These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime's illicit programs, including its weapons programs," said Assistant Attorney General John A. Eisenberg of the Department's National Security Division. Last month, the DoJ said it had filed a civil forfeiture complaint in federal court that targeted over $7.74 million in cryptocurrency, non-fungible tokens (NFTs), and other digital assets linked to the global IT worker scheme. "North Korea remains intent on funding its weapons programs by defrauding U.S. companies and exploiting American victims of identity theft," said Assistant Director Roman Rozhavsky of the FBI Counterintelligence Division. "North Korean IT workers posing as U.S. citizens fraudulently obtained employment with American businesses so they could funnel hundreds of millions of dollars to North Korea's authoritarian regime." Chief among the actions announced Monday includes the arrest of U.S. national Zhenxing "Danny" Wang of New Jersey, who has been accused of perpetrating a multi-year fraud scheme in collusion with co-conspirators to get remote IT work with U.S. companies, ultimately generating more than $5 million in revenue. Other individuals who participated in the scheme include six Chinese and two Taiwanese nationals - According to the indictment, the defendants and other co-conspirators compromised the identities of more than 80 U.S. individuals to obtain remote jobs at more than 100 U.S. companies between 2021 and October 2024. The overseas IT workers are believed to have been assisted by U.S.-based facilitators, Kejia "Tony" Wang, Zhenxing "Danny" Wang, and at least four others, with Kejia Wang even traveling to China in 2023 to meet overseas co-conspirators and IT workers and discuss the scheme. To trick the companies into thinking that the remote workers are based in the U.S., Wang et al received and hosted the company-issued laptops at their residences, and enabled the North Korean threat actors to connect to these devices using KVM (short for "keyboard-video-mouse") switches like PiKVM or TinyPilot. "Kejia Wang and Zhenxing Wang also created shell companies with corresponding websites and financial accounts, including Hopana Tech LLC, Tony WKJ LLC, and Independent Lab LLC, to make it appear as though the overseas IT workers were affiliated with legitimate U.S. businesses," the DoJ said. "Kejia Wang and Zhenxing Wang established these and other financial accounts to receive money from victimized U.S. companies, much of which was subsequently transferred to overseas co‑conspirators." In return for providing these services, Wang and his co-conspirators are estimated to have received no less than $696,000 from the IT workers. Separately, the Northern District of Georgia unsealed a five-count wire fraud and money laundering indictment charging four North Korean nationals, Kim Kwang Jin (김관진), Kang Tae Bok (강태복), Jong Pong Ju (정봉주), and Chang Nam Il (창남일), with stealing more than $900,000 from the blockchain company located in Atlanta. Court documents allege that the defendants traveled to the United Arab Emirates on North Korean documents in October 2019 and worked together as a team. Sometime between December 2020 and May 2021, Kim Kwang Jin and Jong Pong Ju were hired as developers by the blockchain company and a Serbian virtual token company, respectively. Then, acting on the recommendation of Jong Pong Ju, the Serbian company hired Chang Nam Il. After Kim Kwang Jin and Jong Pong Ju gained their employers' trust and were assigned projects that granted them access to the firm's virtual currency assets, the threat actors proceeded to steal the assets in February and March 2022, in one case altering the source code associated with two of the company's smart contracts. The stolen proceeds were then laundered using a cryptocurrency mixer and eventually transferred to virtual currency exchange accounts controlled by Kang Tae Bok and Chang Nam Il. These accounts, the DoJ said, were opened using fraudulent Malaysian identification documents. "These arrests are a powerful reminder that the threats posed by DPRK IT workers extend beyond revenue generation," Michael "Barni" Barnhart, Principal i3 Insider Risk Investigator at DTEX, told The Hacker News in a statement. "Once inside, they can conduct malicious activity from within trusted networks, posing serious risks to national security and companies worldwide." "The U.S. government's actions [...] are absolutely top notch and a critical step in disrupting this threat. DPRK actors are increasingly utilizing front companies and trusted third parties to slip past traditional hiring safeguards, including observed instances of those in sensitive sectors like government and the defense industrial base. Organizations must look beyond their applicant portals and reassess trust across their entire talent pipeline because the threat is adapting as we are." Microsoft Suspends 3,000 Email Accounts Tied to IT Workers Microsoft, which has been tracking the IT worker threat under the moniker Jasper Sleet (previously Storm-0287) since 2020, said it has suspended 3,000 known Outlook/Hotmail accounts created by the threat actors as part of its broader efforts to disrupt North Korean cyber operations. The activity cluster is also tracked as Nickel Tapestry, Wagemole, and UNC5267. The worker fraud scheme starts with setting up identities such that they match the geolocation of their target organizations, after which they are digitally fleshed out through social media profiles and fabricated portfolios on developer-oriented platforms like GitHub to give the personas a veneer of legitimacy. The tech giant called out the IT workers' exploitation of artificial intelligence (AI) tools to enhance images and change voices in order to boost the credibility of their job profiles and appear more authentic to employers. The IT workers have also been found to set up fake profiles on LinkedIn to communicate with recruiters and apply for jobs. "These highly skilled workers are most often located in North Korea, China, and Russia, and use tools such as virtual private networks (VPNs) and remote monitoring and management (RMM) tools together with witting accomplices to conceal their locations and identities," the Microsoft Threat Intelligence team said. Another noteworthy tactic embraced by Jasper Sleet revolves around posting facilitator job ads under the guise of remote job partnerships to help IT workers secure employment, pass identity checks, and work remotely. As the relationship with the facilitators grows, they may also be tasked with creating a bank account for the IT workers, or purchasing mobile phone numbers or SIM cards. Furthermore, the witting accomplices are responsible for validating the IT workers' bogus identities during the employment verification process using online background check service providers. The submitted documents include fake or stolen drivers' licenses, social security cards, passports, and permanent resident identification cards. As a way to counter the threat, Microsoft said it has developed a custom machine-learning solution powered by proprietary threat intelligence that can surface suspicious accounts exhibiting behaviors that align with known DPRK tradecraft for follow-on actions. "North Korea's fraudulent remote worker scheme has since evolved, establishing itself as a well-developed operation that has allowed North Korean remote workers to infiltrate technology-related roles across various industries," Redmond said. "In some cases, victim organizations have even reported that remote IT workers were some of their most talented employees."

US disrupts North Korean IT worker "laptop farm" scheme in 16 states

The U.S. Department of Justice (DoJ) announced coordinated law enforcement actions against North Korean government's fund raising operations using remote IT workers. North Korean workers use stolen or fake identities created with the help of AI tools to get hired by more than 100 companies in the U.S., believing they employed experts from other Asian countries or the U.S. Their salaries are usually sent to the DPRK regime. According to court documents, two individuals, Kejia Wang and Zhenxing "Danny" Wang, compromised the identities of more than 80 U.S. citizens to help North Korean workers obtain rmeote jobs at U.S. companies. The two created multiple shell companies (e.g. Hopana Tech LLC, Tony WKJ LLC, Independent Lab LLC), financial accounts, and fake websites to make it look like the workers were affiliated with legitimate U.S. businesses. "Danny" Wang, who has been arrested, also hosted company-issued laptops in U.S. homes, connected to KVM switches, and provided remote access to remote DPRK workers. It is estimated that the particular operation generated more than $5 million in illicit revenue, while U.S. companies incurred an estimated $3 million in financial damages. In addition to the monetary losses, the DoJ also mentions that sensitive data, including U.S. military tech regulated under ITAR, was accessed and exfiltrated by the North Koreans. The law enforcement operation, part of the broader "DPRK RevGen: Domestic Enabler Initiative," ran from October 2024 until June 2025. It resulted in multiple searchers at 29 suspected "laptop farms" across 16 states. The authorities also seized 29 financial accounts, 21 fake websites supporting the IT workers, and two hundred computers they used in their work. In addition to the Wangs acting as U.S.-based facilitators, the following individuals have been indicted for their involvement in IT worker schemes: Authorities also identified four North Korean nationals - Kim Kwang Jin, Kang Tae Bok, Jong Pong Ju (aka 'Bryan Cho') and Chang Nam Il (aka 'Peter Xiao'), who were charged with wire fraud and money laundering for working remotely at U.S. companies under false identities. Kim Kwang Jin is highlighted as a central figure, who worked at an Atlanta-based blockchain research and development firm since December 2020. In March 2022, he took advantage of his position to modify the source code in two of his employer's smart contracts, enabling the theft of cryptocurrency worth approximately $740,000 at the time, subsequently laundered through mixers like Tornado Cash. These four North Koreans remain at large, and the 'Rewards for Justice' program has announced $5,000,0000 in rewards for credible information about their current location.

US Busts $5 Million North Korean IT Scam -- Americans, Chinese, Taiwanese Among Those Arrested

Enter your email to get Benzinga's ultimate morning update: The PreMarket Activity Newsletter The U.S. Department of Justice (DOJ) has taken a significant step against North Korea's illicit financial activities, which involve remote IT workers operating within American tech firms. What Happened: The DOJ has announced a series of actions aimed at dismantling North Korea's money-making operations, which are conducted by covert remote IT workers within U.S. tech companies. The funds generated are allegedly used to finance North Korea's nuclear weapons program and for data and cryptocurrency theft. As per the DOJ, the fraud scheme impacted over 100 U.S. companies. U.S. Attorney for the District of Massachusetts, Leah B. Foley, stated, "Thousands of North Korean cyber operatives have been trained and deployed by the regime to blend into the global digital workforce and systematically target U.S. companies." The DOJ's crackdown resulted in the arrest and indictment of U.S. national Zhenxing "Danny" Wang and Keija Wang who are accused of running a long-standing fraud operation out of New Jersey -- one that allegedly generated over $5 million for the North Korean regime. They face charges of conspiracy to commit wire fraud, money laundering, and identity theft. Additionally, eight other individuals, including six Chinese nationals and two Taiwanese citizens, have been indicted for their involvement in the scheme. Five North Korean nationals have been charged with wire fraud and money laundering for allegedly stealing over $900,000 in cryptocurrency from two unidentified companies by using fake or stolen identities, according to the Department of Justice. SEE ALSO: Emmanuel Macron Calls Tariffs 'Blackmail,' White House Shoots Back Saying Trump Is 'Doing What's Right For Our People' Why It Matters: North Korea's use of remote IT workers to conduct illicit financial activities has been an ongoing concern. In May 2025, it was reported that Kim Jong Un's North Korea was infiltrating American businesses via remote jobs, with the help of unwitting U.S. citizens. This operation, run by a former waitress turned TikTok personality, saw North Korean workers overseas posing as U.S.-based tech employees and securing jobs at more than 300 American companies, collecting $17.1 million in pay. Earlier in May, a report by cybersecurity firm DTEX revealed that North Korea's cybercrime operations were being likened to a mafia organization controlled by Kim Jong Un. The operations involved a global network of North Korean technologists who infiltrated Fortune 500 companies and laundered money to support Kim's nuclear and ballistic missile ambitions. Despite these crackdowns, North Korea's cybercrime operations have continued to thrive. In June 2025, it was reported that crypto hacks and exploits had surged to record levels, with total losses exceeding $2.1 billion across at least 75 incidents. The largest single event was the $1.5 billion hack of Dubai-based crypto exchange Bybit in February, which was attributed to North Korea. READ MORE: Bitcoin, Ethereum, Dogecoin Slide Even As Q2 Turns Profitable For Crypto: Analyst Warns About Decline In BTC If The Apex Coin Doesn't Close Above This Level Image via Shutterstock Disclaimer: This content was partially produced with the help of AI tools and was reviewed and published by Benzinga editors. Market News and Data brought to you by Benzinga APIs