Back
World News

Two Sentenced for Roles in Scheme Aiding North Korean IT Workers at US Companies

Generated on: Last updated: 2 sources
View source

North Korean IT Worker Fraud: Two Sentenced in US Court

Two men have been sentenced in a US federal court for their roles in an international fraud operation that placed North Korean information technology workers in remote jobs at over 100 US companies between 2022 and 2024.

The Sentences

A federal judge in Massachusetts sentenced Kejia "Tony" Wang to nine years in prison. Zhenxing Wang received a sentence of nearly eight years. The court ordered both men to collectively forfeit $600,000.

Details of the Scheme

According to court documents, the operation used the stolen identities of over 80 Americans. Participants forged Social Security cards and California driver's licenses, filed false employment forms with the Department of Homeland Security, and altered tax documents submitted to the Internal Revenue Service and the Social Security Administration.

The scheme generated over $5 million in salary payments from victim companies.

The resulting fallout caused at least $3 million in legal fees and computer cleanup costs for businesses across 28 states and the District of Columbia.

Context and Global Estimates

US officials state that North Korea diverts funds from such schemes toward weapons development, including nuclear weapons and ballistic missiles.

The United Nations Multilateral Sanctions Monitoring Committee estimates the broader North Korean IT worker scheme generated approximately $2.8 billion globally over the past two years, with $250 million to $600 million annually from fraudulent salaries.

The Australian Security Intelligence Organisation (ASIO) and cybersecurity firm DTEX have documented similar operations targeting companies in Australia. The United Nations estimates this operation nets North Korea approximately $800 million annually.

Australian law enforcement sources confirm that major banks, including NAB, have experienced infiltration. Key target industries in Australia include defense, building, and engineering design.

Methods of Operation

Multiple sources describe the following methods used by operatives:

  • Fake Identities: Operatives use crafted résumés and social media profiles, often using stolen or fabricated personal details.
  • Artificial Intelligence: Operatives use AI to identify job advertisements, manage correspondence with recruiters, and alter voices and appearances during virtual interviews.
  • Laptop Farming: Individuals in Western countries are recruited to host and operate company-issued computers, acting as intermediaries for the operatives.
  • Multiple Personas: A single operative may use various names while maintaining consistent details across multiple job applications.

Cybersecurity firms have observed North Korean operatives using AI to convert accents during live interviews.

Investigation and Sting Operations

In a 2024 US sting operation, investigators posing as a front company tracked a facilitator known as "David," who presented a real government ID on-site, and another facilitator, "Aaron," who received a company laptop. Both denied involvement when contacted. Investigators report that identities continue circulating through the scheme even after facilitators stop participating.

In a separate investigation in Australia, a recruiter working with intelligence agencies established a trap for a suspected operative using the alias "Aaron Pierson." During a Zoom interview, "Aaron" demonstrated difficulty providing information about his claimed residence and university attendance. He appeared different from his profile picture and became defensive when questioned about North Korea.

Michael Barnhart, lead investigator for DTEX, heads a team that tracks these operatives by identifying inconsistencies in online footprints, such as multiple résumés using the same photo or accidental inclusions of accomplices in selfies.

Enforcement and Convictions

At least seven Americans have been convicted since 2024 for aiding North Korean IT worker schemes. These convictions include a former US Army soldier, a nail technician, and two California men.

Christina Chapman, an Arizonan woman, received an 8.5-year jail sentence for operating a "laptop farm" that facilitated the infiltration of over 300 US firms, according to US prosecutors.

In June 2025, the FBI conducted 29 raids across 16 US states and seized 21 fraudulent websites.

Documented cases have involved major firms such as Boeing, NBC, and Nike.

Expert Observations

Evan Gordenker of Palo Alto Networks stated that North Korea has built an industrial hiring machine exploiting standard hiring practices.

Michael Barnhart of DTEX noted varying levels of participation by Americans, from identity brokers to those appearing for interviews or drug tests.

Mitchell Green of Aon's Cyber Solutions stated that some facilitators are highly involved while others are unassuming.

US Assistant Attorney General John Eisenberg stated that such schemes would not succeed without US-based facilitators who operate laptop farms, create fictitious front companies, and defraud companies using false identification documents.

Jonathan Fritz, principal deputy assistant secretary of state for East Asia Pacific affairs, stated that North Korea uses stolen money to fund weapons development.

ASIO Director-General Mike Burgess expressed concern regarding the response from Australian companies to this threat and emphasized the need for action to prevent critical businesses from being compromised. Burgess and DTEX founder Mohan Koo have called for Australian companies to enhance their recruitment practices.