US unveils multiple operations to shutter North Korean IT worker schemes

The Justice Department announced a multi-pronged operation to collapse numerous IT worker fraud schemes being carried out by affiliates of North Korea, with actions across 16 states that resulted in charges, arrests and seizures of bank accounts and technical assets used to carry out the moves.

The schemes involved workers getting themselves hired into remote jobs based mainly in the U.S. in order to launder their paychecks back to North Korea. The stolen money is frequently used to help fund the regime’s missile programs.

The Justice Department indicted multiple people and arrested one U.S. person alleged to be in connection with the schemes. FBI agents searched some 29 known or suspected laptop farms and seized 29 financial accounts used to launder illicit funds across some 21 sham websites, DOJ said Monday. The moves mark the biggest action to date by the FBI and Justice Department to kneecap the DPRK-linked operations.

In Massachusetts, U.S. national Zhenxing “Danny” Wang of New Jersey was arrested and charged with working to net some $5 million from U.S. companies alongside Chinese and Taiwanese co-conspirators. Multiple other U.S. facilitators have been identified, DOJ said in a statement.

The indictment says that from 2021 through October 2024, Wang and other partners used stolen identities from more than 80 Americans to land remote jobs at over 100 U.S. companies, including many Fortune 500 firms. 

This cost the companies at least $3 million in legal expenses, network fixes and other damages. The overseas IT workers got help from Wang and the other U.S. accomplices. One of the U.S. persons kept in touch with the overseas team and traveled to China in 2023 to coordinate the scheme, the charges say.

To hide that the IT workers were overseas Wang and others kept U.S. company laptops at their houses and hooked them up to remote-control devices so the workers abroad could use them from outside the country.

In separate charges in Georgia, four North Korean nationals are alleged to have stolen some $900,000 in virtual currency for the DPRK. Those defendants are still at large, and senior DOJ and FBI officials who spoke to reporters did not say explicitly whether any of the overseas conspirators would be extradited to the U.S. for trial.

According to the indictment, the defendants traveled to the United Arab Emirates using North Korean travel documents and worked together there. Around December 2020 and May 2021, two of the people were hired by a blockchain R&D company in Atlanta and a virtual token company in Serbia. 

Both men hid their North Korean identities by providing fake IDs that combined stolen and fake information. Once they gained their employers’ trust, they got access to company crypto assets. In February 2022, one of the people used that access to steal about $175,000 in virtual currency by transferring it to an account he controlled. The next month, his partner in the scheme stole about $740,000 by altering the source code of two company smart contracts and sending the stolen crypto to his own address.

A senior FBI official said that at least one U.S. government contractor was caught up in the illegal hiring schemes and added that other contractors may be at risk of being victimized.

From June 10 to June 17, 2025, the FBI raided 21 sites in 14 states believed to be “laptop farms” — locations where laptops are kept and run in the U.S. so foreign IT workers can remotely log in and hide their real location. Agents seized about 137 laptops in total, DOJ said.

For several years now, North Korean-aligned IT workers have quietly posed as remote employees for global companies by using stolen or fake identities to earn hard currency, gain access to sensitive systems and funnel stolen funds back to Pyongyang, all while leaving employers unaware that they’re hiring foreign workers using false identities.

In early June, the Justice Department filed a civil complaint in Washington, D.C., to retrieve some $7.74 million allegedly pilfered by a North Korean IT worker scheme. The thefts have paid for some 50% of Pyongyang’s missile projects, according to earlier U.S. assessments.