A major North Korea IT worker scheme has led to the sentencing of two U.S. nationals who helped facilitate fraudulent remote employment operations that generated millions of dollars for the Democratic People’s Republic of Korea (DPRK), according to the U.S. Department of Justice.
The case highlights how foreign actors exploited remote work systems, stolen identities, and U.S.-based infrastructure to infiltrate companies and access sensitive data.
Sentencing in North Korea IT Worker Scheme
Kejia Wang, 42, and Zhenxing Wang, 39, were sentenced for their roles in supporting the North Korea IT worker scheme, which placed overseas operatives into jobs at more than 100 U.S. companies.
Kejia Wang received a sentence of 108 months in prison, while Zhenxing Wang was sentenced to 92 months. Both had pleaded guilty to multiple charges, including conspiracy to commit wire fraud and money laundering. The court also ordered three years of supervised release and financial penalties, including forfeiture of $600,000.
Officials confirmed that the scheme generated more than $5 million in revenue for the DPRK, with at least $400,000 already recovered by authorities.
How the Laptop Farm Scheme Worked
At the center of the North Korea IT worker scheme were so-called “laptop farms” operated by the defendants in the United States. These setups were designed to make it appear that remote IT workers were physically located in the U.S.
Using stolen identities of more than 80 Americans, the group secured remote IT roles across multiple organizations, including several Fortune 500 companies. The defendants and their associates hosted company-issued laptops at U.S. locations, enabling overseas workers to access them remotely.
To facilitate this, they used hardware tools such as keyboard-video-mouse switches, allowing remote control of the devices from abroad. This setup helped bypass location checks and security controls commonly used by employers.
Use of Shell Companies and Financial Networks
The defendants also created shell companies, including Hopana Tech LLC and Independent Lab LLC, to support the North Korea IT worker scheme. These entities had no real operations but were used to present the overseas workers as legitimate U.S.-based employees.
Payments from victim companies were routed through financial accounts linked to these shell companies. Authorities said millions of dollars were funneled through these accounts, with a significant portion transferred to overseas co-conspirators.
In return, the facilitators in the U.S. received nearly $700,000 for their involvement.
Access to Sensitive Data and Security Risks
The North Korea IT worker scheme raised serious concerns about data security and national security. Investigators found that some of the fraudulently hired workers gained access to sensitive corporate information, including source code and restricted technical data.
In one instance, an overseas co-conspirator accessed data controlled under International Traffic in Arms Regulations from a U.S.-based defense contractor. The data included sensitive information related to advanced technologies.
Officials warned that such access could expose critical systems and intellectual property to foreign adversaries.
Ongoing Investigation and Wanted Suspects
Authorities continue to investigate the broader North Korea IT worker scheme, with several individuals still at large. The Federal Bureau of Investigation has identified multiple suspects believed to be involved in the operation.
The U.S. Department of State has announced a reward of up to $5 million for information that helps disrupt financial networks supporting such activities.
Law enforcement agencies have already taken action to dismantle parts of the operation. This includes the seizure of web domains and financial accounts linked to the scheme, along with the recovery of more than 70 laptops and remote access devices during coordinated searches.
The North Korea IT worker scheme is part of a broader effort by DPRK-linked actors to generate revenue through cyber-enabled operations. Authorities say these schemes often rely on stolen identities, fake online profiles, and third-party facilitators to gain access to company systems.
Public advisories from U.S. agencies have previously warned that such workers can earn significant sums, sometimes up to $300,000 annually, contributing to large-scale funding operations tied to North Korea’s strategic programs.
