Justice Department Disrupts North Korean IT Worker Scheme Targeting U.S. Firms

A wide-reaching operation led by the Justice Department has resulted in significant actions targeting revenue-generating schemes operated by North Korean IT workers who infiltrated U.S. businesses. As part of the enforcement effort, the Department announced the execution of "two indictments, an arrest, searches of 29 known or suspected 'laptop farms' across 16 states, and the seizure of 29 financial accounts used to launder illicit funds and 21 fraudulent websites." According to case filings, the schemes involved foreign operatives posing as remote IT workers using stolen identities, often with assistance from U.S.-based enablers. These actors secured employment at over 100 American companies, gaining access to sensitive internal systems and, in some cases, classified military data or blockchain source code. The campaign reflects an increasingly structured and deceptive method of generating illicit revenue in support of North Korea’s state objectives.cyberse

One key component of the scheme involved U.S.-based individuals facilitating unauthorized access through laptop farms—physical collections of company-issued devices remotely operated by overseas workers. These devices, placed in American homes, helped create the illusion that IT workers were based domestically. The Justice Department charged individuals in the U.S., China, and Taiwan for their role in establishing fake companies, setting up fraudulent web domains, and handling fund transfers for the North Korean operatives. A coordinated indictment unsealed in Massachusetts describes a scheme in which more than $5 million was earned from fraudulent employment contracts. Stolen data in at least one instance included content regulated under U.S. arms control export laws. The Justice Department emphasized the real-world implications of this access, noting its potential to harm national security and corporate trust.

A separate indictment unsealed in the Northern District of Georgia charged four North Korean nationals for stealing more than $900,000 in virtual currency while embedded at two blockchain-related companies. The operatives used false credentials and manipulated their access to exfiltrate digital assets, later laundering them through mixers and overseas-controlled exchange accounts. Between June 10 and June 17, 2025, law enforcement conducted 21 searches tied to suspected laptop farms across 14 states, seizing around 137 laptops used to support these schemes. This latest operation is part of the broader DPRK RevGen: Domestic Enabler Initiative, a joint effort between the FBI, the National Security Division, and other agencies to disrupt North Korea’s cyber-enabled funding channels. “North Korean IT workers defraud American companies and steal the identities of private citizens, all in support of the North Korean regime,” stated the FBI’s Cyber Division. The coordinated effort continues to dismantle the infrastructure enabling these operations while emphasizing the growing use of complex digital deception in state-sponsored cybercrime.