US Nationals Sentenced for Operating Laptop Farm for North Korean IT Workers
Key Takeaways Two U.S. nationals received federal prison sentences for operating a “laptop farm” that enabled North Korean IT workers to infiltrate over 100 American companies. The scheme...
Key Takeaways
- Two U.S. nationals received federal prison sentences for operating a “laptop farm” that enabled North Korean IT workers to infiltrate over 100 American companies.
- The scheme generated more than $5 million in illicit revenue, which was funneled to North Korea’s weapons programs.
- Victim companies suffered critical data breaches, including the exfiltration of sensitive AI technical data controlled under ITAR, incurring at least $3 million in remediation costs.
- The operation involved extensive identity theft, KVM switch exploitation, and the use of shell companies to launder funds and mask the true location of the foreign operatives.
Two U.S. citizens have been sentenced to federal prison for their roles in a sophisticated “laptop farm” operation. This scheme allowed North Korean IT workers to illicitly access over 100 American businesses, generating more than $5 million in funds that supported the Democratic People’s Republic of Korea (DPRK) and its weapons development programs.
Table Of Content
Kejia Wang, 42, received a 108-month prison sentence, while his co-conspirator, Zhenxing Wang, 39, was sentenced to 92 months. Both individuals had previously entered guilty pleas to charges of conspiracy involving wire fraud, money laundering, and identity theft.
Federal prosecutors detailed how the duo maintained physical locations within the United States. These sites housed company-issued laptops, effectively concealing the fact that North Korean IT professionals were accessing these devices from overseas. This sentencing is part of a broader, ongoing nationwide effort to dismantle similar DPRK fraud networks.
The Modus Operandi of the Laptop Farm
The multi-year operation, active from 2021 until October 2024, relied heavily on identity theft and technical deception. The perpetrators compromised the identities of over 80 U.S. citizens to secure remote IT positions at major American corporations, including several Fortune 500 companies.
To create the illusion of legitimate domestic operations, the Wangs established multiple shell companies, such as Hopana Tech LLC and Independent Lab LLC. These entities were used to launder the illicit salaries. These phantom companies had no actual employees but served as financial conduits, funneling millions of dollars to overseas co-conspirators. The U.S.-based operators kept nearly $700,000 for their facilitation.
The infiltration extended beyond financial fraud, posing significant risks to U.S. national security. According to the Department of Justice, the scheme led to critical data breaches and remediation costs totaling at least $3 million.
Key technical aspects of the compromise included:
- KVM Switch Exploitation: The operators connected victim companies’ laptops to Keyboard-Video-Mouse (KVM) switches. This allowed overseas workers to access the devices remotely while appearing to log in from U.S. residential IP addresses.
- Source Code Theft: Unauthorized remote access granted North Korean operatives entry into sensitive employer networks and proprietary source code repositories.
- ITAR Data Exfiltration: In early 2024, overseas actors successfully breached a California-based defense contractor, stealing artificial intelligence technical data specifically controlled under the International Traffic in Arms Regulations (ITAR).
This sentencing marks a significant milestone in the DOJ’s “DPRK RevGen: Domestic Enabler Initiative.” Following raids across multiple states, federal agents seized dozens of laptops, remote access devices, and web domains linked to the shell companies. Concurrently, the U.S. Department of State announced a $5 million reward for information that leads to the disruption of eight additional fugitive co-conspirators involved in the financial mechanisms supporting this DPRK scheme.
The FBI and Homeland Security Investigations underscore the importance of organizational vigilance against remote worker fraud.
What You Should Do
- Implement robust identity verification processes for all remote employees, especially those in IT roles.
- Utilize multi-factor authentication (MFA) for all network access and critical systems.
- Regularly audit remote access logs for unusual activity, geographic inconsistencies, or atypical login patterns.
- Employ endpoint detection and response (EDR) solutions to monitor and detect suspicious activity on company-issued devices.
- Conduct thorough background checks and continuous monitoring for employees with access to sensitive data or systems.
- Educate employees about social engineering tactics and the risks associated with identity theft.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.