US Nationals Behind DPRK IT Worker Laptop Farm Sent to Prison

Two US Nationals Imprisoned for Operating DPRK IT Worker Schemes

Two U.S. nationals have been sentenced to federal prison for their roles in operating "laptop farm" schemes that helped North Korean operatives fraudulently infiltrate over 100 American companies — including many Fortune 500 firms — generating more than $5 million that was funneled to the government of North Korea.

The Department of Justice announced the sentences as the latest action in an ongoing crackdown on DPRK-linked IT worker fraud operations. Prosecutors described the defendants as key facilitators who provided the on-the-ground infrastructure that allowed North Korean workers to appear as domestic US employees to their unwitting employers.

The Defendants and Their Sentences

Defendant	Sentence	Role
Kejia Wang, 42	9 years federal prison	Senior facilitator, laptop farm operator
Zhenxing Wang, 39	Nearly 8 years federal prison	Co-facilitator, money laundering

Combined, the two defendants face nearly 17 years in federal prison. The DOJ stated that the revenue generated by their scheme was used to finance North Korea's weapons of mass destruction programs and ballistic missile development.

How the Laptop Farm Scheme Worked

North Korean IT worker fraud is a sophisticated sanctions-evasion operation that has scaled to industrial levels. The fraud model operates as follows:

DPRK operatives apply for remote IT positions at US companies using false identities, fraudulent credentials, and fabricated work histories
US-based facilitators (like the Wang defendants) receive company-issued laptops at domestic addresses — the so-called "laptop farm"
Remote access software is configured to forward the laptop connection to the actual DPRK operator working overseas, making them appear to be a local US worker
Salary payments flow to the US facilitators, who launder the funds and transfer the proceeds to North Korean financial networks
The DPRK retains the bulk of the earnings, estimated in the hundreds of millions annually across the full operation

This model exploits the trust placed in remote work arrangements and allows North Korea to monetize IT talent while evading the sanctions regime that restricts its financial access to the global economy.

Scale and National Security Impact

The North Korean IT worker operation represents a significant national security threat. Prior DOJ and FBI advisories have estimated that thousands of DPRK-affiliated IT workers are embedded across US companies at any given time. Revenue generated funds:

North Korea's ballistic missile and nuclear weapons programs
Cyber offensive operations conducted by Lazarus Group and affiliated state-sponsored APT clusters
Procurement of sanctioned dual-use goods and technologies
The financial infrastructure behind DPRK state espionage activities

A single ring disrupted in 2024 was linked to over 300 US companies, demonstrating the scale at which these operations run.

Indicators of DPRK IT Worker Infiltration

The FBI and CISA have published guidance to help organizations detect DPRK IT workers embedded within their workforce. Key red flags include:

Unusual login patterns — logins at unexpected hours, from foreign geolocations, or via uncommon VPN exit nodes inconsistent with claimed location
Reluctance to appear on camera during video calls, or persistent camera-off policy
Multiple applicants with similar profiles applying to the same organization
Laptop delivery address inconsistent with the candidate's claimed state of residence
Requests to install remote desktop tools or access forwarding software on corporate devices
Financial irregularities — requests to route payments to unusual financial intermediaries or overseas accounts
Skill inconsistencies — highly capable technically but poor cultural fit or communication issues

Legal Framework

The Wang defendants were charged under:

International Emergency Economic Powers Act (IEEPA) — sanctions evasion
Wire fraud statutes
Money laundering charges

The maximum statutory penalties in these cases can reach 20 years per count. The DOJ has signaled continued aggressive prosecution of DPRK-linked financial networks and their US-based enablers.

Recommended Defensive Measures for Employers

Organizations with remote-first hiring practices should implement:

Live video verification with government-issued ID during onboarding and at periodic intervals
Restrict hardware shipping addresses to verified employee locations with physical confirmation
Implement MDM/EDR on all corporate devices to detect remote access tools and unusual forwarding behavior
Conduct enhanced background checks with third-party verification of physical presence and identity
Monitor network traffic from corporate devices for remote desktop protocol (RDP) and access forwarding tool signatures
Establish insider threat programs with HR and security collaboration to flag anomalous employee behavior patterns

References

Published by CosmicBytez Labs — labs.cosmicbytez.ca

Two US Nationals Imprisoned for Operating DPRK IT Worker Schemes

The Defendants and Their Sentences

Defendant	Sentence	Role
Kejia Wang, 42	9 years federal prison	Senior facilitator, laptop farm operator
Zhenxing Wang, 39	Nearly 8 years federal prison	Co-facilitator, money laundering

How the Laptop Farm Scheme Worked

North Korean IT worker fraud is a sophisticated sanctions-evasion operation that has scaled to industrial levels. The fraud model operates as follows:

DPRK operatives apply for remote IT positions at US companies using false identities, fraudulent credentials, and fabricated work histories
US-based facilitators (like the Wang defendants) receive company-issued laptops at domestic addresses — the so-called "laptop farm"
Remote access software is configured to forward the laptop connection to the actual DPRK operator working overseas, making them appear to be a local US worker
Salary payments flow to the US facilitators, who launder the funds and transfer the proceeds to North Korean financial networks
The DPRK retains the bulk of the earnings, estimated in the hundreds of millions annually across the full operation

Scale and National Security Impact

North Korea's ballistic missile and nuclear weapons programs
Cyber offensive operations conducted by Lazarus Group and affiliated state-sponsored APT clusters
Procurement of sanctioned dual-use goods and technologies
The financial infrastructure behind DPRK state espionage activities

A single ring disrupted in 2024 was linked to over 300 US companies, demonstrating the scale at which these operations run.

Indicators of DPRK IT Worker Infiltration

The FBI and CISA have published guidance to help organizations detect DPRK IT workers embedded within their workforce. Key red flags include:

Unusual login patterns — logins at unexpected hours, from foreign geolocations, or via uncommon VPN exit nodes inconsistent with claimed location
Reluctance to appear on camera during video calls, or persistent camera-off policy
Multiple applicants with similar profiles applying to the same organization
Laptop delivery address inconsistent with the candidate's claimed state of residence
Requests to install remote desktop tools or access forwarding software on corporate devices
Financial irregularities — requests to route payments to unusual financial intermediaries or overseas accounts
Skill inconsistencies — highly capable technically but poor cultural fit or communication issues

Legal Framework

The Wang defendants were charged under:

International Emergency Economic Powers Act (IEEPA) — sanctions evasion
Wire fraud statutes
Money laundering charges

The maximum statutory penalties in these cases can reach 20 years per count. The DOJ has signaled continued aggressive prosecution of DPRK-linked financial networks and their US-based enablers.

Recommended Defensive Measures for Employers

Organizations with remote-first hiring practices should implement:

Live video verification with government-issued ID during onboarding and at periodic intervals
Restrict hardware shipping addresses to verified employee locations with physical confirmation
Implement MDM/EDR on all corporate devices to detect remote access tools and unusual forwarding behavior
Conduct enhanced background checks with third-party verification of physical presence and identity
Monitor network traffic from corporate devices for remote desktop protocol (RDP) and access forwarding tool signatures
Establish insider threat programs with HR and security collaboration to flag anomalous employee behavior patterns

References

Published by CosmicBytez Labs — labs.cosmicbytez.ca

US Nationals Behind DPRK IT Worker Laptop Farm Sent to Prison

Two US Nationals Imprisoned for Operating DPRK IT Worker Schemes

The Defendants and Their Sentences

How the Laptop Farm Scheme Worked

Scale and National Security Impact

Indicators of DPRK IT Worker Infiltration

Legal Framework

Recommended Defensive Measures for Employers

References

New Jersey Men Given Lengthy Sentences for Running North Korean Laptop Farms

Authorities Disrupt APT28 Router DNS Hijacks Targeting Microsoft 365

Shadow Campaigns: State-Backed Espionage Group Breaches 70+

US Nationals Behind DPRK IT Worker Laptop Farm Sent to Prison

Two US Nationals Imprisoned for Operating DPRK IT Worker Schemes

The Defendants and Their Sentences

How the Laptop Farm Scheme Worked

Scale and National Security Impact

Indicators of DPRK IT Worker Infiltration

Legal Framework

Recommended Defensive Measures for Employers

References

New Jersey Men Given Lengthy Sentences for Running North Korean Laptop Farms

Authorities Disrupt APT28 Router DNS Hijacks Targeting Microsoft 365

Shadow Campaigns: State-Backed Espionage Group Breaches 70+