Two American citizens have been sentenced to 18 months in federal prison each for operating physical "laptop farms" — residential and commercial setups designed to provide North Korean IT workers with fraudulent U.S.-based network identities. The defendants helped approximately 70 American companies unknowingly hire DPRK workers who collected salaries and routed the proceeds back to North Korea, circumventing U.S. sanctions.
The sentencing follows a Department of Justice investigation into the broader North Korean IT worker program, which U.S. officials describe as a state-sponsored campaign generating hundreds of millions of dollars annually for the regime's weapons programs.
What Is a Laptop Farm?
A laptop farm in this context is a physical cluster of laptops or computers placed at a U.S. address — residential, commercial, or otherwise — each connected to the internet via a domestic U.S. internet service provider. North Korean workers operating overseas, primarily from China and Russia, connect to these machines remotely via KVM-over-IP devices, remote desktop software (AnyDesk, TeamViewer), or similar tools.
The result is a convincing digital disguise: when a U.S. company's IT team checks the laptop's network location, they see a domestic IP address. When an employment verification service checks the listed home address, it returns a valid U.S. location. Payroll systems see a standard W-9 or similar documentation, and corporate network telemetry shows an endpoint that looks locally connected.
The defendants received payments from North Korean-controlled organizations to host and maintain these setups, effectively serving as domestic infrastructure providers for the DPRK's IT fraud operation.
Scale and Impact
Across both defendants, approximately 70 U.S. companies were defrauded into paying salaries to North Korean workers. The combined revenue from those fraudulent positions exceeded $1.2 million — a figure that, while significant, represents only a narrow slice of a program U.S. officials estimate generates billions of dollars annually across its full scope.
The targeted companies ranged across industries including technology, finance, and healthcare. In many cases, the North Korean workers were genuinely skilled software engineers or IT administrators who performed legitimate work — a deliberate strategy to avoid detection. Their deliverables were functional, but their employment violated U.S. sanctions, and their real identities and locations were systematically concealed.
The DPRK IT Worker Threat
The North Korean IT worker program is coordinated under the Reconnaissance General Bureau (RGB), North Korea's primary foreign intelligence service, and linked to threat actor clusters including the Lazarus Group and its affiliated units. The program serves a dual purpose: generating foreign currency for the regime and, in some cases, enabling espionage or sabotage through access to corporate systems.
The FBI and CISA have previously issued joint advisories warning U.S. organizations that DPRK IT workers may attempt to:
- Gain access to sensitive proprietary or government data
- Install remote access tools or malware on corporate systems
- Exfiltrate intellectual property to benefit the North Korean state
- Enable future destructive cyberattacks by maintaining persistent access
Detecting North Korean IT Worker Infiltration
Organizations concerned about potential infiltration can look for a combination of technical and behavioral signals:
Technical red flags:
- Persistent remote desktop or KVM tools running on corporate-issued endpoints
- Login activity at hours inconsistent with the declared work time zone
- VPN usage that doesn't align with stated remote work location
- Multiple simultaneous sessions on a single employee endpoint
Behavioral red flags:
- Camera refusal or persistent technical excuses for not appearing on video
- Written communication fluency that significantly exceeds verbal/spoken fluency
- Requests to redirect paychecks to third-party payment processors or cryptocurrency
- Credentials and résumés that are polished but difficult to verify through standard channels
- Unusually fast onboarding requests or reluctance to complete standard identity verification steps
Broader Enforcement Trend
This sentencing is part of a sustained U.S. government effort to dismantle the domestic enabler layer of North Korea's IT worker program. Previous enforcement actions have included indictments against DPRK nationals, arrests of identity brokers in the United States and United Kingdom, and civil forfeiture actions against shell companies used to launder proceeds.
The emphasis on prosecuting American facilitators — not just the North Korean orchestrators — signals that DOJ is expanding its targeting of the domestic infrastructure that makes these schemes viable. Laptop farm operators, identity document providers, and payment processors who knowingly participate face federal criminal exposure under wire fraud, sanctions violations, and money laundering statutes.