Two American men have been handed federal sentences for running so-called laptop farms — physical setups that allowed North Korean IT workers to remotely appear as if they were working from inside the United States. Their separate schemes impacted nearly 70 U.S. companies and funneled a combined $1.2 million into the coffers of the North Korean regime.
The Scheme Explained
The North Korean IT worker operation has been one of the more creative — and persistent — nation-state revenue-generation schemes in recent memory. Pyongyang deploys large pools of technically skilled workers overseas, primarily in China and Russia, who pose as U.S.-based freelancers and remote employees. The challenge: passing identity verification checks that require a U.S. presence.
That's where American facilitators like these two defendants came in. By hosting physical laptop farms — rooms or offices stocked with laptops and mobile hotspots — they gave North Korean handlers the ability to operate those machines remotely, creating the appearance that the workers were genuinely located in the United States. Employers using geolocation, IP address, or device-management checks would see a U.S. IP and U.S.-registered hardware.
Scale and Impact
Between the two defendants' operations:
- ~70 U.S. companies were defrauded into hiring workers they believed to be American citizens or lawful residents
- $1.2 million in wages was collected and funneled toward the DPRK regime
- Industries targeted included technology, financial services, and government contracting
The revenue generated, while modest on a per-operation basis, feeds into a much larger North Korean state enterprise. U.S. authorities estimate the broader DPRK IT worker program generates hundreds of millions of dollars annually for the regime — funds that directly support weapons development and sanctions evasion.
Sentencing Details
The men were sentenced separately following guilty pleas. Exact sentences were not fully detailed in public reporting at time of writing, but the DOJ has treated similar cases as serious federal offenses under wire fraud, money laundering, and sanctions violation statutes. Previous participants in the scheme have received multi-year sentences.
How Companies Get Caught
For employers, these schemes are difficult to detect because the workers are often genuinely competent. Red flags that security and HR teams have identified include:
- Multiple accounts sharing the same payment details or delivery address
- Unusual login patterns — e.g., logins from expected U.S. locations that switch to foreign geolocations during off-hours
- Requests to forward physical mail or hardware to unusual third-party addresses
- Reluctance to appear on video calls or use cameras, or use of AI-generated face deepfakes during video interviews
- Inconsistent biographical details in background checks compared to stated work history
The Bigger Picture
The DOJ has now charged or convicted dozens of individuals in connection with the North Korean IT worker scheme. The U.S. government has repeatedly warned companies — particularly in tech and financial services — that they may unknowingly be employing DPRK-linked workers.
FBI and CISA have published joint advisories outlining indicators of compromise for this scheme. Employers are encouraged to use device management controls that flag unexpected remote-access software or geographic inconsistencies, conduct live unscripted video verification during hiring, and carefully scrutinize payment routing for overseas transfers.
Bottom Line: This case is another conviction in a long-running North Korean state operation, but the broader scheme remains active. The sentencing of U.S. facilitators signals that domestic enablers face serious legal exposure — but employers need to independently harden their hiring pipelines against this persistent threat.