New Jersey Men Given Lengthy Sentences for Running North Korean Laptop Farms

Two Men Sentenced for Funding North Korea's Weapons Programs

Two New Jersey men have been handed significant federal prison sentences for their roles in operating so-called "laptop farm" schemes that generated millions of dollars for the North Korean government. The Department of Justice announced the sentences as part of a broader crackdown on DPRK-linked IT worker fraud operations that have infiltrated hundreds of US companies.

Kejia Wang, 42, was sentenced to nine years in federal prison, while Zhenxing Wang, 39, received a sentence of nearly eight years. Together, their scheme generated more than $5 million that was funneled to the government of North Korea — funds the DOJ says are used to finance the country's weapons of mass destruction programs.

How the Laptop Farm Operation Worked

North Korean IT worker schemes have become a significant national security concern in recent years. The model is deceptively simple: DPRK operatives pose as skilled foreign IT contractors and apply for remote work positions at US companies. To appear as domestic workers and bypass sanctions, they enlist US-based facilitators to:

Receive and proxy company-issued laptops at domestic addresses — the "laptop farm"
Use remote access tools to forward the connection back to North Korean operators overseas
Collect and launder salary payments before transferring funds to North Korea

The Wang defendants played key facilitation roles in this pipeline — maintaining physical infrastructure that made the overseas operators appear to be legitimate domestic workers to their unwitting employers.

Scale of the Problem

The North Korean IT worker threat has reached significant scale. The DOJ, FBI, and Department of State have previously warned that thousands of DPRK-affiliated IT workers are embedded across US companies, with annual revenue estimated in the hundreds of millions of dollars. A single ring disrupted in 2024 was linked to over 300 US companies.

DPRK IT worker revenue streams fund:

North Korea's ballistic missile and nuclear weapons programs
Cyber offensive operations conducted by Lazarus Group and affiliated APTs
Procurement of sanctioned goods and technologies

Indicators of Compromise for Employers

The FBI and CISA have published guidance for organizations to help detect North Korean IT workers. Key red flags include:

Unusual login patterns — logins at unexpected hours, from unexpected geolocations, or via uncommon VPN exit nodes
Performance inconsistencies — highly skilled in some areas, poor communication or cultural fit
Reluctance to appear on video or camera-off policy during calls
Multiple profiles with similar resumes applied to the same organization
Payment routing requests to overseas accounts or unusual financial intermediaries
Laptop delivery address in states not matching the candidate's claimed residence
Remote desktop access requests from a newly issued corporate device

Legal Context

The Wang sentencing follows a string of related prosecutions. In prior cases, the DOJ has charged both the overseas operators and their US-based enablers under violations of:

The International Emergency Economic Powers Act (IEEPA) — for sanctions evasion
Wire fraud statutes
Money laundering charges

The maximum statutory penalties in these cases can reach 20 years per count, and the DOJ has signaled continued aggressive prosecution of DPRK-linked financial networks.

Industry Response

The sentences underscore the urgency of tightening remote hiring practices. Security researchers recommend organizations:

Require live video verification with government-issued ID during onboarding
Restrict hardware shipping addresses to verified employee locations
Implement device management (MDM/EDR) to detect remote forwarding tools on corporate hardware
Conduct background checks with third parties that verify physical presence
Monitor network traffic from company-issued devices for remote access tool signatures

The full DOJ announcement is available via The Record and official DOJ press releases.

References

Published by CosmicBytez Labs — labs.cosmicbytez.ca

Two Men Sentenced for Funding North Korea's Weapons Programs

How the Laptop Farm Operation Worked

Receive and proxy company-issued laptops at domestic addresses — the "laptop farm"
Use remote access tools to forward the connection back to North Korean operators overseas
Collect and launder salary payments before transferring funds to North Korea

Scale of the Problem

DPRK IT worker revenue streams fund:

North Korea's ballistic missile and nuclear weapons programs
Cyber offensive operations conducted by Lazarus Group and affiliated APTs
Procurement of sanctioned goods and technologies

Indicators of Compromise for Employers

The FBI and CISA have published guidance for organizations to help detect North Korean IT workers. Key red flags include:

Unusual login patterns — logins at unexpected hours, from unexpected geolocations, or via uncommon VPN exit nodes
Performance inconsistencies — highly skilled in some areas, poor communication or cultural fit
Reluctance to appear on video or camera-off policy during calls
Multiple profiles with similar resumes applied to the same organization
Payment routing requests to overseas accounts or unusual financial intermediaries
Laptop delivery address in states not matching the candidate's claimed residence
Remote desktop access requests from a newly issued corporate device

Legal Context

The Wang sentencing follows a string of related prosecutions. In prior cases, the DOJ has charged both the overseas operators and their US-based enablers under violations of:

The International Emergency Economic Powers Act (IEEPA) — for sanctions evasion
Wire fraud statutes
Money laundering charges

The maximum statutory penalties in these cases can reach 20 years per count, and the DOJ has signaled continued aggressive prosecution of DPRK-linked financial networks.

Industry Response

The sentences underscore the urgency of tightening remote hiring practices. Security researchers recommend organizations:

Require live video verification with government-issued ID during onboarding
Restrict hardware shipping addresses to verified employee locations
Implement device management (MDM/EDR) to detect remote forwarding tools on corporate hardware
Conduct background checks with third parties that verify physical presence
Monitor network traffic from company-issued devices for remote access tool signatures

The full DOJ announcement is available via The Record and official DOJ press releases.

References

Published by CosmicBytez Labs — labs.cosmicbytez.ca

New Jersey Men Given Lengthy Sentences for Running North Korean Laptop Farms

Two Men Sentenced for Funding North Korea's Weapons Programs

How the Laptop Farm Operation Worked

Scale of the Problem

Indicators of Compromise for Employers

Legal Context

Industry Response

References

US Nationals Behind DPRK IT Worker Laptop Farm Sent to Prison

Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign

Russia's Forest Blizzard Harvests Logins via SOHO Router DNS Poisoning

New Jersey Men Given Lengthy Sentences for Running North Korean Laptop Farms

Two Men Sentenced for Funding North Korea's Weapons Programs

How the Laptop Farm Operation Worked

Scale of the Problem

Indicators of Compromise for Employers

Legal Context

Industry Response

References

US Nationals Behind DPRK IT Worker Laptop Farm Sent to Prison

Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign

Russia's Forest Blizzard Harvests Logins via SOHO Router DNS Poisoning