Two American nationals have been sentenced to 18 months in federal prison each for operating so-called "laptop farms" — physical setups designed to give North Korean IT workers a fraudulent U.S.-based presence while they remotely infiltrated American companies. The scheme, which spanned nearly 70 U.S. businesses and generated approximately $1.2 million in revenue for the North Korean regime, represents one of the more elaborate iterations of the DPRK's long-running IT worker fraud campaign.
How the Laptop Farm Scheme Worked
The defendants hosted multiple laptops at residential or business locations in the United States. North Korean workers operating from overseas — primarily from China and Russia — remotely accessed these machines using KVM-over-IP devices and remote desktop software, creating the impression that they were working locally within the United States.
This physical U.S. presence was crucial to the fraud. American companies conducting employment verification checks would see domestic IP addresses, U.S. mailing addresses, and in some cases, devices appearing on corporate networks as locally connected endpoints. The North Korean workers used these identities to apply for and obtain remote software engineering, IT administration, and development positions.
Once hired, the workers collected salaries that were then funneled back to North Korea, circumventing U.S. sanctions prohibiting financial transactions that benefit the regime. The $1.2 million in combined revenue across the two defendants' operations represents only a fraction of what analysts estimate is a broader multi-billion-dollar enterprise.
Scale of the North Korean IT Worker Threat
The sentencing follows a string of U.S. government enforcement actions targeting participants in North Korea's "IT worker" program. The scheme is believed to be coordinated by the Lazarus Group and affiliated state-sponsored units operating under the Reconnaissance General Bureau (RGB), North Korea's primary intelligence apparatus.
According to the U.S. Department of Justice and FBI, thousands of DPRK IT workers are actively embedded in Western companies at any given time, generating revenue that funds the regime's weapons of mass destruction and ballistic missile programs. Beyond financial gain, some embedded workers have been linked to corporate espionage and data theft operations.
Previous enforcement actions have included:
- Indictments against North Korean nationals for wire fraud and sanctions violations
- Arrests of facilitators in the United States, United Kingdom, and other allied nations
- Asset seizures and civil forfeiture actions targeting shell companies used to launder proceeds
Indicators of Compromise and Detection
Organizations concerned about North Korean IT worker infiltration should look for several behavioral and technical red flags:
Technical indicators:
- Remote desktop tools (AnyDesk, TeamViewer, Chrome Remote Desktop) running persistently on corporate endpoints
- KVM-over-IP device signatures on network scans
- Unusual login hours inconsistent with declared time zones
- VPN usage that doesn't match stated work location
Behavioral indicators:
- Reluctance to appear on video calls or disabling cameras
- Inconsistencies in spoken communication versus written communication quality
- Requests to have paychecks directed to unusual payment services or third-party accounts
- Overly rapid résumé submission with highly polished but difficult-to-verify credentials
Recommendations for Employers
The FBI and CISA have issued joint guidance recommending that organizations:
- Verify identity rigorously — require government-issued ID verification via video calls with live document inspection before onboarding any remote contractor or employee
- Audit remote access tools — maintain an inventory of approved remote access software and flag unauthorized installations
- Geolocate work activity — compare declared work location against IP geolocation data during onboarding and periodically thereafter
- Screen payments carefully — be alert to requests for payment redirection through third-party services, particularly those associated with cryptocurrency or international wire transfers
The sentencing in this case underscores that the U.S. government is pursuing not just the North Korean orchestrators but also the American facilitators who make these operations possible. Laptop farm operators, identity providers, and payment processors who knowingly assist in these schemes face federal criminal exposure.