The U.S. Department of Justice announced the indictment of two North Korean nationals and three facilitators for their involvement in a long-running cyber fraud scheme to deceive U.S. companies into hiring remote information technology (IT) workers. The cyber fraud scheme, spanning from 2018 to 2024, generated significant revenue for North Korea, with at least $866,255 funneled through illicit means.
The indicted individuals include North Korean nationals Jin Sung-Il and Pak Jin-Song, Mexican national Pedro Ernesto Alonso De Los Reyes, and U.S. nationals Erick Ntekereze Prince and Emanuel Ashtor.
The Justice Department describes their actions as part of a broader effort by North Korea to evade sanctions and fund the country’s weapons programs by exploiting remote work opportunities in the IT sector.
Cyber Fraud Scheme: A Coordinated Effort to Deceive U.S. Companies
The indictment outlines how the five individuals used a network of deception to secure remote IT jobs with at least 64 U.S. companies. The defendants used forged and stolen identity documents, including U.S. passports, to hide their true identities and circumvent sanctions. This allowed them to work as freelance IT professionals, despite being based in North Korea.
In total, the scheme generated over $866,000 in revenue, which was largely laundered through a Chinese bank account. The illicit funds were transferred to support North Korea’s regime, including its weapons development programs. According to the indictment, the group used remote access software to manipulate victim companies into believing they were hiring legitimate U.S.-based workers.
The Role of Laptop Farms
One of the key components of this fraudulent operation was the use of “laptop farms.” These were physical locations, such as the one operated by Emanuel Ashtor in North Carolina, where laptops provided by U.S. companies were installed with remote access software to perpetuate the deception. The laptops were configured to make it appear as though workers were based in the U.S., when in reality, they were in countries like China or Russia, working on behalf of the North Korean regime.
The FBI arrested Ntekereze and Ashtor in connection with the operation, and Alonso was apprehended in the Netherlands on January 10, 2025. Ashtor’s laptop farm played a crucial role in deceiving U.S. companies into providing laptops and trusting that they were hiring remote workers based in the U.S.
North Korea’s IT Worker Scheme and Global Impact
North Korea’s IT worker scheme has been an ongoing concern for the global community. Thousands of skilled North Korean IT workers have been sent abroad, primarily to China and Russia, with the goal of infiltrating U.S. companies. These workers are often highly skilled and can earn up to $300,000 annually, generating significant sums that support North Korea’s weapons programs and other sanctioned activities.
The U.S. government has warned that North Korea’s IT workers use a variety of tools to conceal their identities, including fake online job sites, pseudonymous accounts, and proxy computers. These workers have generated hundreds of millions of dollars for the North Korean regime, and the fraudulent scheme uncovered by the Justice Department is just one example of the broader effort to circumvent sanctions.
Legal Consequences for the Defendants
The defendants face serious charges, including conspiracy to cause damage to a protected computer, conspiracy to commit wire fraud and mail fraud, conspiracy to commit money laundering, and conspiracy to transfer false identification documents. Jin and Pak, as North Korean nationals, are also charged with conspiracy to violate the International Emergency Economic Powers Act.
If convicted, the defendants could face up to 20 years in prison. The court will determine the final sentences after considering various statutory factors and U.S. Sentencing Guidelines.
Ongoing Efforts to Combat North Korean Cyber Threats
This indictment is part of the Department of Justice’s broader efforts to disrupt North Korea’s cyber-enabled sanctions-evading schemes. The FBI’s Cyber Division, in partnership with the U.S. Department of State and the Department of the Treasury, has been investigating and targeting these activities for several years. In March 2024, the National Security Division and the FBI launched the “DPRK RevGen: Domestic Enabler Initiative” to identify and shut down U.S.-based “laptop farms” that host remote IT workers affiliated with North Korea.
The Justice Department’s efforts have already led to successful actions in October 2023, May 2024, August 2024, and December 2024, which targeted similar schemes. The FBI has issued several advisories, including a May 2022 alert, warning the international community about the growing risk posed by North Korean IT workers. The most recent update, issued in May 2024, provides guidance on identifying potential threats and mitigating risks associated with the scheme.
Continued Assistance for U.S. Companies
The FBI has emphasized its commitment to assisting U.S. companies that may have fallen victim to this type of fraud. The agency urges any organizations that believe they may have been targeted by North Korean IT workers to reach out to their local FBI field office for support. The FBI is also offering guidance on how businesses can better detect and prevent such schemes in the future.
“The FBI remains committed to assisting victims of these frauds and providing the necessary tools to prevent similar incidents,” said Bryan Vorndran, Assistant Director of the FBI’s Cyber Division. “Our work is ongoing, and we will continue to pursue those responsible for exploiting U.S. companies for the benefit of North Korea’s regime.”
