Ddos 
In a sweeping series of law enforcement actions, the U.S. Department of Justice (DOJ) has exposed and disrupted a covert operation run by North Korea’s regime to generate revenue by infiltrating U.S. companies through remote IT jobs. The campaign, involving fraudulent identities, laptop farms, and money laundering, funneled millions of dollars to the DPRK’s weapons programs under the guise of legitimate tech employment.
“These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” said Assistant Attorney General John A. Eisenberg of the DOJ’s National Security Division.
According to the indictments unsealed, North Korean operatives used stolen and fake identities to land remote IT jobs at more than 100 U.S. companies, including several in the Fortune 500. Once inside, they accessed sensitive corporate systems, exported ITAR-controlled military technology, and stole virtual currency worth over $900,000.
A network of enablers in the U.S., China, UAE, and Taiwan helped them set up shell companies, fraudulent websites, and laptop farms—clusters of computers owned by U.S. companies and accessed remotely by North Korean workers via KVM switches.
“Let the actions announced today serve as a warning: if you host laptop farms for the benefit of North Korean actors, law enforcement will be waiting for you,” warned FBI Cyber Division Assistant Director Brett Leatherman.
The District of Massachusetts announced the arrest of Zhenxing “Danny” Wang and indictments against 10 other individuals, including Chinese and Taiwanese nationals, for running a multi-year fraud ring that earned over $5 million. The group compromised more than 80 U.S. citizens’ identities and facilitated North Korean job placements, enabling the theft of ITAR-controlled military tech from a U.S. defense contractor.
A separate indictment from the Northern District of Georgia charged four North Korean nationals with stealing over $900,000 in virtual currency by infiltrating blockchain firms using fake identities. The stolen crypto was laundered via Tornado Cash and exchange accounts under aliases, with some identities tied to fraudulent Malaysian documents.
The coordinated operation—part of the DPRK RevGen: Domestic Enabler Initiative—saw searches across 16 states, resulting in the seizure of 137 laptops, 29 financial accounts, and 21 fraudulent websites. This follows earlier actions in October 2024, where agents seized 70 laptops and KVMs from domestic shell companies created to support the scheme.
The DOJ has also reaffirmed its call for heightened vigilance among U.S. businesses, especially those hiring remote IT workers. Public advisories from the FBI, Department of Treasury, and ODNI have warned that North Korean IT workers earn up to $300,000 annually, collectively generating hundreds of millions in revenue for the regime.
To help dismantle the regime’s digital revenue engine, the U.S. State Department has offered rewards of up to $5 million for actionable intelligence on North Korean cybercriminals and financial enablers.
Donate