Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/US Nationals Sentenced for Operating Laptop Farm for North Korean IT Workers
CyberSecurity News

US Nationals Sentenced for Operating Laptop Farm for North Korean IT Workers

Key Takeaways Two U.S. nationals received federal prison sentences for operating a “laptop farm” that enabled North Korean IT workers to infiltrate over 100 American companies. The scheme...

Sarah simpson
Sarah simpson
April 16, 2026 3 Min Read
31 0

Key Takeaways

  • Two U.S. nationals received federal prison sentences for operating a “laptop farm” that enabled North Korean IT workers to infiltrate over 100 American companies.
  • The scheme generated more than $5 million in illicit revenue, which was funneled to North Korea’s weapons programs.
  • Victim companies suffered critical data breaches, including the exfiltration of sensitive AI technical data controlled under ITAR, incurring at least $3 million in remediation costs.
  • The operation involved extensive identity theft, KVM switch exploitation, and the use of shell companies to launder funds and mask the true location of the foreign operatives.

Two U.S. citizens have been sentenced to federal prison for their roles in a sophisticated “laptop farm” operation. This scheme allowed North Korean IT workers to illicitly access over 100 American businesses, generating more than $5 million in funds that supported the Democratic People’s Republic of Korea (DPRK) and its weapons development programs.

Table Of Content

  • Key Takeaways
  • The Modus Operandi of the Laptop Farm
  • What You Should Do

Kejia Wang, 42, received a 108-month prison sentence, while his co-conspirator, Zhenxing Wang, 39, was sentenced to 92 months. Both individuals had previously entered guilty pleas to charges of conspiracy involving wire fraud, money laundering, and identity theft.

Federal prosecutors detailed how the duo maintained physical locations within the United States. These sites housed company-issued laptops, effectively concealing the fact that North Korean IT professionals were accessing these devices from overseas. This sentencing is part of a broader, ongoing nationwide effort to dismantle similar DPRK fraud networks.

The Modus Operandi of the Laptop Farm

The multi-year operation, active from 2021 until October 2024, relied heavily on identity theft and technical deception. The perpetrators compromised the identities of over 80 U.S. citizens to secure remote IT positions at major American corporations, including several Fortune 500 companies.

To create the illusion of legitimate domestic operations, the Wangs established multiple shell companies, such as Hopana Tech LLC and Independent Lab LLC. These entities were used to launder the illicit salaries. These phantom companies had no actual employees but served as financial conduits, funneling millions of dollars to overseas co-conspirators. The U.S.-based operators kept nearly $700,000 for their facilitation.

The infiltration extended beyond financial fraud, posing significant risks to U.S. national security. According to the Department of Justice, the scheme led to critical data breaches and remediation costs totaling at least $3 million.

Key technical aspects of the compromise included:

  • KVM Switch Exploitation: The operators connected victim companies’ laptops to Keyboard-Video-Mouse (KVM) switches. This allowed overseas workers to access the devices remotely while appearing to log in from U.S. residential IP addresses.
  • Source Code Theft: Unauthorized remote access granted North Korean operatives entry into sensitive employer networks and proprietary source code repositories.
  • ITAR Data Exfiltration: In early 2024, overseas actors successfully breached a California-based defense contractor, stealing artificial intelligence technical data specifically controlled under the International Traffic in Arms Regulations (ITAR).

This sentencing marks a significant milestone in the DOJ’s “DPRK RevGen: Domestic Enabler Initiative.” Following raids across multiple states, federal agents seized dozens of laptops, remote access devices, and web domains linked to the shell companies. Concurrently, the U.S. Department of State announced a $5 million reward for information that leads to the disruption of eight additional fugitive co-conspirators involved in the financial mechanisms supporting this DPRK scheme.

The FBI and Homeland Security Investigations underscore the importance of organizational vigilance against remote worker fraud.

What You Should Do

  • Implement robust identity verification processes for all remote employees, especially those in IT roles.
  • Utilize multi-factor authentication (MFA) for all network access and critical systems.
  • Regularly audit remote access logs for unusual activity, geographic inconsistencies, or atypical login patterns.
  • Employ endpoint detection and response (EDR) solutions to monitor and detect suspicious activity on company-issued devices.
  • Conduct thorough background checks and continuous monitoring for employees with access to sensitive data or systems.
  • Educate employees about social engineering tactics and the risks associated with identity theft.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

BreachExploitSecurity

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

UAC-0247 Attacks Hospitals, Governments to Steal Browser, WhatsApp Data

Next Post

Critical Cisco ISE Flaws Allow Remote Code Execution

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us