US authorities unmask North Korean IT worker schemes and their American accomplices

The Department of Justice announced a series of actions on June 30 as part of an investigation into the North Korean government’s deployment of its citizens abroad to pose as IT workers and illicitly earn money for the regime.

Newly unsealed charging documents describe two separate schemes to trick U.S. companies into hiring people who funneled their paychecks to the North Korean government and exploited their access to the companies’ networks to steal sensitive information and cryptocurrency.

Law enforcement officials, who have repeatedly issued alerts about Pyongyang’s IT worker schemes, warned U.S. businesses on June 30 to carefully screen their remote employees to avoid falling victim to similar ruses.

“The FBI will do everything in our power to defend the homeland and protect Americans from being victimized by the North Korean government,” Roman Rozhavsky, assistant director of the FBI’s Counterintelligence Division, said in a statement, “and we ask all U.S. companies that employ remote workers to remain vigilant to this sophisticated threat.”

In one of the two schemes that the government disrupted, multiple U.S.-based facilitators — including New Jersey residents Zhenxing Wang and Kejia Wang and at least four others — worked with five Chinese nationals, two Taiwanese nationals and other unidentified defendants to compromise the identities of more than 80 U.S. citizens and get jobs at more than 100 U.S. companies — many of them on the Fortune 500 — resulting in at least $3 million in legal fees, remediation costs and other expenses.

“To deceive U.S. companies into believing the IT workers were located in the United States,” the DOJ said in a press announcement, the U.S. facilitators “received and/or hosted laptops belonging to U.S. companies at their residences, and enabled overseas IT workers to access the laptops remotely.”

Authorities arrested Zhenxing Wang, while the other defendants remain at large. A DOJ spokesperson declined to immediately provide more information about the status of the other named American defendant, Kejia Wang.

Zhenxing Wang, Kejia Wang and the other U.S.-based facilitators ran the operation from 2021 until October 2024, creating shell companies, complete with websites and financial accounts, to legitimize their activities. They transferred “much” of the money from the victim companies to “overseas co-conspirators” and received at least $696,000 for their work, according to the DOJ.

Source code exposed

As part of this operation, the government said, North Korea’s IT workers accessed “sensitive employer data and source code,” including restricted data from “a California-based defense contractor that develops artificial intelligence-powered equipment and technologies.”

One California resident who helped facilitate the operation was an active-duty U.S. military service member with a Secret security clearance, according to a charging document, a detail that highlights the widespread national security risks of Pyongyang’s activities.

In October 2024, authorities executed search warrants at eight locations in three states that resulted in the seizure of more than 70 laptops and other devices used to enable overseas remote access. The FBI also seized four websites associated with the shell companies.

On June 30, the FBI and the Defense Criminal Investigative Service seized 17 more websites, along with 29 money-laundering accounts that the government said held “tens of thousands of dollars in funds.”

National security threat

In the second case, authorities charged four North Korean nationals with wire fraud and money laundering for stealing and laundering cryptocurrency then valued at more than $900,000 from two companies, an Atlanta-based blockchain research firm and a Serbian cryptocurrency firm. 

The two operations detailed account for only a portion of the FBI’s investigations into North Korean IT worker schemes. In mid-June, the FBI searched 21 “known and suspected laptop farms” in 14 states, seizing more than 130 laptops. Those searches were part of open investigations in Colorado, Missouri and Texas.