The US Department of Justice has announced a coordinated crackdown on efforts by the North Korean government to finance its regime through a sophisticated scheme involving remote information technology (IT) work for American companies.
As part of the action, the US authorities unsealed two indictments, arrested a suspect, conducted searchers across 16 states at nearly 30 known or suspected “laptop farms,” and seized multiple assets including 29 financial accounts and 21 fraudulent websites
The scheme involves North Korean operatives, under false or stolen identities, fraudulently obtaining employment with US companies as remote IT workers. These individuals were aided by individuals based not only in North Korea but also in the United States, China, the United Arab Emirates, and Taiwan.
According to court filings, the scheme enabled North Korean workers to infiltrate over 100 US companies, including Fortune 500 firms, by posing as legitimate candidates using fake credentials and front companies. Once employed, they were paid salaries and, in some cases, accessed and stole sensitive information, including export-controlled military technology and digital assets such as cryptocurrency. Some of the US-based accomplices helped set up fraudulent companies and professional websites to support the deception and provided US company-issued laptops that were remotely accessed from overseas via specialized hardware.
The police arrested one of the key figures, Zhenxing “Danny” Wang, who is a US citizen, in connection with a multi-year fraud operation that generated over $5 million. He, along with Chinese and Taiwanese nationals, is accused of facilitating employment fraud by compromising the identities of more than 80 US persons and enabling remote IT work under false pretenses. This caused significant financial damage to US firms, including legal costs and cybersecurity remediation expenses estimated at more than $3 million.
Wang and others received payment from the North Korean workers in exchange for their facilitation, with Wang and his co-conspirators allegedly receiving at least $696,000.
Among the other named defendants are several Chinese and Taiwanese nationals, as well as US-based facilitators like Kejia Wang, who not only hosted company laptops but also traveled abroad to coordinate aspects of the scheme directly with North Korean operatives. They also set up shell companies with associated bank accounts and websites to enhance the illusion of legitimacy and ensure payment pipelines for the illicit work.
In a related indictment, four North Korean nationals, Kim Kwang Jin, Kang Tae Bok, Jong Pong Ju, and Chang Nam Il, were charged with wire fraud and money laundering for stealing and laundering over $900,000 in cryptocurrency.
The suspects obtained jobs at blockchain and virtual token firms using falsified identities and exploited their access to company systems to siphon digital assets. The stolen funds, which took place in 2022, were laundered via cryptocurrency mixers and foreign accounts registered under fraudulent Malaysian documents.
In parallel, Microsoft has released a deep dive detailing North Korean IT remote worker activity it tracks as Jasper Sleet (formerly known as Storm-0287). According to Microsoft, North Korean remote IT workers leverage a sophisticated system to infiltrate global organizations by posing as legitimate remote employees. They use stolen or rented identities that match the location of their target companies, build fake online personas with fabricated portfolios on platforms like GitHub and LinkedIn, and use AI tools to create convincing content and disguise their identities.
Facilitators assist by validating identities, managing logistics, and handling job platform access. To avoid detection, these workers use VPNs, VPSs, proxy services, and remote monitoring tools to connect through devices in the target countries.
