U.S. investigators ran a wide-ranging and coordinated investigation into the North Korea government’s notorious IT worker scams that they said used the stolen identities of at least 80 Americans to place operatives in more than 100 U.S. companies and caused losses and damages totaling at least $3 million over three years.

In Justice Department (DOJ) this week outlined the results of the initiative, which included two indictments, one arrest, raids on 29 so-called laptop farms across 16 states that were foundational to the schemes, the seizure of 29 financial accounts used to launder money, and the takeover of 21 fraudulent websites.

It marked the largest operation by the DOJ and FBI against the expanding IT worker scams used by North Korea’s government to steal sensitive information – including employer data and military data – and collect millions of dollars that were sent back to bypass international sanctions and support the regime, including its expansive weapons program.

Federal law enforcement agencies for the past several years have looked to put down the IT worker scams, including seizing related websites, shutting down laptop farms, and, last month, moving to collect $7.74 million seized in 2023 during a worker scam criminal case.

“North Korea remains intent on funding its weapons programs by defrauding U.S. companies and exploiting American victims of identity theft,” Assistant Director Roman Rozhavsky of the FBI’s Counterintelligence Division said in a statement. “North Korean IT workers posing as U.S. citizens fraudulently obtained employment with American businesses so they could funnel hundreds of millions of dollars to North Korea’s authoritarian regime.”

An Expanding Operation

North Korea has been running the extensive schemes for more than five years, putting thousands of people armed with fraudulent IDs to get jobs as IT workers at U.S. companies that unwittingly hired them, often after interviews and background checks. They use information stolen from U.S. citizens to create the identities and, most recently, AI tools to make them seem more legitimate.

The complex operations also require conspirators to run the laptop farms to convince the companies that those they hired were working in the United States or had some connection to the country. The companies that hire them will send corporate-issued laptops to the addresses the scammers give them and remotely work through them while living in North Korea, China, or elsewhere.

Conspirators, including some in the United States, also create front companies and fraudulent websites to further legitimize the remote IT workers.

Once employed, the North Korean IT workers use the laptops to access and steal data, download malware, or other malicious actions. They also will do the work and receive regular salaries, much of which are funneled to the North Korean regime. Others help launder the money and send it back to North Korea.

North Korea Leans Into AI to Scale Schemes

In a report this week, Microsoft’s Threat Intelligence unit said that North Korean IT scam operators are increasing their use of AI to enhance their efforts. This includes “the use of AI tools to replace images in stolen employment and identity documents and enhance North Korean IT worker photos to make them appear more professional. We’ve also observed that they’ve been utilizing voice-changing software,” the Microsoft researchers wrote.

They also noted that, while the schemes historically have targeted companies in the United States in such sectors at technology, manufacturing and transportation, “we’ve observed North Korean remote workers evolving to broaden their scope to target various industries globally that offer technology-related roles.”

In the cases outlined by the DOJ, co-conspirators not only came from the United States, but other countries as well, including China, Taiwan, and the United Arab Emirates. Last year, an Arizona woman, Christina Marie Chapman, pleaded guilty to federal charges of conspiracy to commit wire fraud and to launder money and aggravated identity theft in connection with a laptop farm she operated.

Prosecutors Hand Up an Indictment

Investigators arrested Zhenxing “Danny” Wang of New Jersey, a U.S. national who was indicted on five counts related to his efforts between 2021 and October 2024 to help North Korean operatives get hired by U.S. companies, which generated more than $5 million in revenue. In addition, six Chinese nationals – Jing Bin Huang, Baoyu Zhou, Tong Yuze, Yongzhe Xu, Ziyou Yuan, and Zhenbang Zhou — and two from Taiwan, Mengting Liu and Enchia Liu, were names as co-conspirators.

They also were assisted by others, including Kejia Wang, Zhenxing Wang, and at least four others in the United States. Investigators noted that Kejia Wang, for example contacted conspirators overseas and IT workers and traveled to China to meet with them. Kejia Wang and others also ran laptop farms in the United States or received the corporate-issued computers, enabling the overseas IT workers to access the laptops remotely by connecting them to devices that allowed them to be remotely accessed.

Kejia Wang and Zhenxing Wang also created shell companies and corresponding websites and financial accounts to further burnish the North Korean IT workers’ credibility. For all this work, those two and the other four U.S. residents received at least $696,000 from the IT workers.

Through this operation, IT workers were able to access sensitive employer data and source code, including data related to International Traffic in Arms Regulations (ITAR) through a defense contractor in California that develops AI-powered equipment and technologies.

For Other North Koreans are Charged

In addition, a separate indictment charged four North Koreans – Kim Kwang Jin, Kang Tae Bok, Jong Pong Ju and Chang Nam Il – who were accused stealing and laundering more than $900,000 in cryptocurrency from two companies, a blockchain R&D company in Atlanta, Georgia, and a virtual token company based in Serbia.

They laundered the money by running it through the Tornado Cash currency mixer before transferring the digital assets to exchange accounts they controlled.