U.S. authorities have launched a significant crackdown on a North Korean IT worker scheme, arresting a key facilitator, seizing numerous domains, and raiding dozens of "laptop farms." This coordinated effort aims to disrupt the illicit funding of North Korea's weapons programs and protect American companies from fraud and data theft.

Key Takeaways

• A major U.S. operation targeted a North Korean IT worker scheme, leading to an arrest, domain seizures, and raids on "laptop farms.

• The scheme involved North Korean IT workers using stolen and fake identities to secure remote jobs at over 100 U.S. companies, generating millions for the DPRK.

• Laptop farms" hosted company-issued devices, allowing North Korean workers to appear as if they were working from the U.S. via remote access tools.

• The illicit activities included identity theft, financial fraud (e.g., cryptocurrency theft), and potential access to sensitive company data, including defense contractor information.

Facilitator Arrested and Indictments Issued

Zhenxing "Danny" Wang, a U.S. national from New Jersey, was arrested for his alleged role in facilitating the scheme. He is accused of helping North Koreans secure employment and generating over $5 million in revenue for Pyongyang. The indictment also names six Chinese and two Taiwanese nationals as co-conspirators.

Wang, along with another U.S. citizen, Kejia Wang, allegedly set up shell companies, fake websites, and financial accounts to legitimize the North Korean workers. They also hosted company laptops at their homes, connecting them to KVM (keyboard-video-mouse) switches to enable remote control by the overseas workers. These facilitators reportedly received at least $696,000 for their services.

Separately, four North Korean nationals – Kim Kwang Jin, Kang Tae Bok, Jong Pong Ju, and Chang Nam Il – have been indicted for wire fraud and money laundering. They are accused of stealing over $900,000 in cryptocurrency from an Atlanta-based blockchain company and a Serbian virtual token company, then laundering the funds using Tornado Cash and fake Malaysian IDs.

The Scope of the Operation

U.S. law enforcement, including the Department of Justice (DOJ) and the FBI, conducted extensive operations:

• Arrests: One key facilitator, Zhenxing "Danny" Wang, was arrested.

• Raids: Nearly 30 "laptop farms" were raided across 16 states, with 21 searches conducted in June 2025 alone, seizing approximately 200 computers.

• Seizures: 29 financial accounts and 21 fraudulent websites were shut down, and 17 web domains used to facilitate the scheme were seized.

This scheme has allowed North Korea to bypass international sanctions and fund its illicit weapons programs. In one instance, North Korean IT workers gained access to sensitive data, including International Traffic in Arms Regulations (ITAR) data, from a California-based defense contractor.

Evolving Threat and Countermeasures

Microsoft, tracking this threat as "Jasper Sleet," has suspended 3,000 Outlook/Hotmail accounts linked to the scheme. The North Korean IT workers use sophisticated methods to create fake identities, including fabricated social media profiles and portfolios, and exploit AI tools to enhance their credibility during job applications.

They often operate from North Korea, China, and Russia, using VPNs and remote monitoring tools to conceal their locations. Facilitators are also recruited to create bank accounts, purchase phone numbers, and validate bogus identities during background checks using fake or stolen documents.

Despite their illicit nature, some victim organizations have noted that these remote IT workers were among their most talented employees. The U.S. government continues to adapt its strategies, including developing machine learning solutions, to disrupt this evolving threat.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• DOJ raids 29 ‘laptop farms’ in operation against North Korean IT worker scheme, The Record from Recorded Future News.

• U.S. Arrests Facilitator in North Korean IT Worker Scheme; Seizes 29 Domains and Raids 21 Laptop Farms, The Hacker News.