US Disrupts North Korean IT Worker Scheme | Cybercrime Takedown

North Korea's IT Worker Scheme Targeted U.S. Companies

The U.S. Department of Justice revealed on Monday a series of enforcement measures taken against North Korea’s illicit financial activities. These operations depend on covert IT personnel, positioned remotely within American technology firms, to generate revenue for the nation’s nuclear weapons development and to engage in the theft of data and cryptocurrency.

Fraud Scheme Uncovered

As a component of a broad, multi-state initiative, the government announced the arrest and indictment of Zhenxing “Danny” Wang, a U.S. citizen. He is alleged to have orchestrated a long-running fraudulent scheme originating from New Jersey, designed to infiltrate remote North Korean IT workers into U.S. tech companies. The indictment details that this scheme yielded over $5 million in revenue for the North Korean government.

Wang faces charges of conspiracy to commit wire fraud, money laundering, and identity theft.

Additional Indictments

Federal authorities also indicted eight additional individuals involved in the scheme. This group comprises six Chinese nationals and two Taiwanese citizens, all accused of conspiring to commit wire fraud, money laundering, identity theft, hacking, and violations of sanctions.

“Thousands of North Korean cyber operatives have been trained and deployed by the regime to integrate into the global digital workforce and systematically target U.S. companies,” stated Leah B. Foley, U.S. Attorney for the District of Massachusetts.

Impact and Damages

Between 2021 and 2024, the co-conspirators allegedly assumed the identities of over 80 U.S. individuals to secure remote positions at more than 100 American companies. This activity resulted in $3 million in damages, encompassing legal expenses, data breach remediation, and related costs.

Operational Tactics

The group reportedly maintained “laptop farms” within the United States. These served as proxies, enabling North Korean IT workers to conceal their origins. At times, they employed keyboard-video-mouse (KVM) switches, allowing control of multiple computers from a single interface.

Furthermore, the DOJ stated that the group established shell companies within the U.S. to create the appearance of legitimate affiliations for the North Korean IT workers and to facilitate the transfer of funds abroad.

Data Theft and Sensitive Information

The fraudulent scheme also allegedly involved the theft of sensitive data, including source code, from the companies employing these workers. This included an unnamed California-based defense contractor specializing in artificial intelligence-powered equipment and technologies.

Law Enforcement Actions

The FBI conducted searches in June at 21 locations across 14 states, believed to be hosting the laptop farms utilized by the North Korean scheme. These raids resulted in the seizure of 137 laptops.

Additionally, federal authorities seized at least 21 web domains, 29 financial accounts used for laundering funds, and over 70 laptops and remote access devices, including KVMs.

Cryptocurrency Theft

Five North Korean nationals were indicted for wire fraud and money laundering following the theft of more than $900,000 in crypto from two unidentified companies. This theft was facilitated through the use of fraudulent or stolen identities, according to the DOJ.

These actions represent a significant effort to disrupt North Korea’s attempts to fund its weapons programs through illicit cyber activities.