The U.S. Department of Justice (DOJ) and FBI have disrupted a major North Korean scheme in which IT workers, posing as remote employees, infiltrated over 100 U.S. companies—including Fortune 500 firms and a defense contractor—to steal money, sensitive data, and cryptocurrency, and funnel millions of dollars back to North Korea’s regime.
Key details of the operation
North Korean nationals used stolen or fake identities—often those of more than 80 U.S. citizens—to secure remote IT jobs. They were aided by facilitators in the U.S., China, UAE, and Taiwan, who helped set up “laptop farms” (locations in the U.S. where company-issued laptops were remotely accessed by North Koreans) and created shell companies and fraudulent websites to make the workers appear legitimate. The schemes generated at least $5 million for North Korea, with one incident alone resulting in the theft of over $900,000 in cryptocurrency from a Georgia-based blockchain company. U.S. companies suffered at least $3 million in legal and remediation costs.
Beyond financial theft, North Korean workers also accessed and stole sensitive employer data, including source code and files governed by U.S. export controls and military technology regulations.
DOJ arrest one, indict two, and seize 29 laptops across 16 states
The DOJ announced one arrest (Zhenxing “Danny” Wang in New Jersey), two indictments, and the seizure of 29 laptop farms across 16 states, as well as 29 financial accounts and 21 fraudulent websites. Several U.S., Chinese, and Taiwanese nationals were charged as facilitators, with some still at large. The operation is part of North Korea’s broader strategy to evade international sanctions and fund its weapons programs by exploiting the global shift to remote work since the COVID-19 pandemic.
U.S. authorities are urging businesses to strengthen remote worker screening and remain vigilant against sophisticated identity fraud and insider threats linked to North Korean IT worker schemes.
