The U.S. Department of Justice (DOJ) has dismantled a sophisticated North Korean operation involving fraudulent remote IT workers who infiltrated over 100 American companies—including Fortune 500 firms and defense contractors—to funnel millions to Pyongyang’s weapons programs.
Coordinated actions across 16 states included the seizure of 29 financial accounts, 21 fraudulent websites, approximately 200 computers, and indictments against 13 individuals.
The scheme, active since 2021, exploited stolen U.S. identities and “laptop farms” to mask overseas workers’ locations and siphon salaries to North Korea.
Elaborate Identity Theft and Infrastructure
North Korean operatives, aided by U.S.-based enablers, compromised over 80 American identities to secure remote IT jobs.
Facilitators like Zhenxing “Danny” Wang (arrested in New Jersey) created shell companies—including Hopana Tech LLC and Tony WKJ LLC—and hosted “laptop farms” using keyboard-video-mouse (KVM) switches.
These devices allowed overseas workers to remotely access U.S. company laptops while appearing stateside.
Workers leveraged virtual private networks (VPNs) and remote monitoring and management (RMM) tools to bypass location checks, with some using AI-enhanced forged documents and voice-changing software to evade detection.
The enablers earned $696,000 in commissions while causing over $3 million in damages to victim companies.
Military Data and Cryptocurrency Theft
Once embedded, workers exfiltrated sensitive data, including International Traffic in Arms Regulations (ITAR)-controlled military technology from a California defense contractor.
In a parallel scheme, four North Korean nationals—Kim Kwang Jin, Kang Tae Bok, Jong Pong Ju, and Chang Nam Il—posed as remote blockchain developers to steal $900,000 in virtual currency.
They laundered funds through Tornado Cash, a cryptocurrency mixer, and funneled proceeds to accounts controlled by aliases using fraudulent Malaysian IDs.
Nationwide Takedown and Ongoing Threats
Between June 10 and 17, 2025, the FBI raided 21 suspected laptop farms across 14 states, seizing 137 computers.
This complements earlier actions in October 2024, where domains and devices linked to the scheme were shut down.
The DOJ’s DPRK RevGen: Domestic Enabler Initiative continues targeting revenue streams funding North Korea’s weapons programs.
Authorities warn that Pyongyang deploys thousands of IT workers globally, using evolving tactics like AI-forged documents to infiltrate critical sectors.
The indictments underscore the scale of state-sponsored cyber fraud, with the DOJ urging companies to verify the identities of remote workers and monitor for anomalous network access.
All defendants are presumed innocent until proven guilty.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=Coordinated actions across 16 states included the seizure of 29 financial accounts, 21 fraudulent websites,){kind=link}