North Korean IT Workers Laptop Farm Scam: US Co-Conspirator Sentenced to 7–9 Years, Netting $2.8 Billion Over Two Years

According to a Fortune report dated 4/25, over the past two years the North Korean government infiltrated U.S. and European companies through remote IT workers, generating about $2.8 billion in revenue to support nuclear weapons development programs. In addition, the United Nations’ Multilateral Sanctions Monitoring Board estimates a steady annual contribution of $250 million to $600 million. In line with this structure’s operation, “U.S.-based accomplices” involved in assisting these scams have recently been sent to prison one after another, revealing that the key to how these scams have been able to survive is the accomplice network operating inside the country.

DOJ: Two U.S. defendants sentenced to 7.5 years and 9 years

The U.S. Department of Justice, on 4/15–4/16 over two days, announced sentencing for two New Jersey residents—Kejia Wang and Zhenxing Wang—each receiving 7.5 years and 9 years in prison, respectively. The charges against them center on operating a long-running “laptop farm”: placing dozens of company-issued work laptops within the United States, so that IT workers actually located in North Korea could operate those laptops through remote connections. This caused the companies’ IT monitoring tools to mistakenly detect the activity as originating from the U.S. mainland.

Prosecutors said the case used stolen identities of at least 80 U.S. citizens, and more than 100 companies were affected, including Fortune 500 companies. The total amount involved was more than $5 million brought in for the North Korean government, with intermediary fees paid to the two Wang defendants as the primary accomplices.

How a laptop farm operates

The core structure of this type of scam is not complicated: North Korean IT workers (most based in Dandong, Liaoning, or Vladivostok, or through cooperative networks along the China–Russia border) apply for remote positions at U.S. companies using stolen U.S. identities. Once hired, the company ships the laptops to the “employee-designated address”—an address that is, in fact, the laptop farm operated by accomplices within the United States. The accomplices set up the laptops under a fixed IP and fixed time zone, and handle plugging and unplugging power, processing deliveries, and forwarding physical mail. The North Korean workers log in and operate the laptops through remote tools such as RDP or anydesk. The code produced and the work results are then accepted by the company through normal verification. Monthly wages are transferred into U.S. accounts, and then after the accomplices take a cut, they are sent out via cryptocurrency (mostly USDT).

With this setup, the company-side three compliance checks—(1) the employee’s IP is in the United States, (2) the device serial number is registered in the United States, and (3) the time zone for on-time entry and exit aligns—are all fully passed. For the past three years, this has been the internal threat that U.S. corporate security teams have found most difficult to detect.

The North Korean accomplice network is the weakest link in the sanctions chain

North Korea itself is not short of programming-capable talent, but it lacks partners who “have real-world infrastructure and U.S. identity documents within Western legal jurisdictions.” This is also the key focus of Fortune’s report headline: Americans are actively helping North Korea complete this scam’s closed loop. The sentencing length in the Kejia Wang and Zhenxing Wang cases (7.5 and 9 years) is among the longest to date for laptop farm cases in the United States, reflecting that the Justice Department views such cases as a double threat of “sanctions evasion + national security.”

Extended risks to the crypto industry

This framework overlaps highly with the crypto industry: the North Korean revenue end usually ultimately exits in USDT or other stablecoins, which is also one of the targets that Tether has coordinated with OFAC to freeze multiple times in the past. Previously, abmedia reported Tether and OFAC freezing $344 million worth of USDT on the Tron chain, as well as DOJ indictments related to insider trading by special forces officer Polymarket and other cases—together with this laptop farm case, marking an escalation in U.S. law enforcement against national-level cybercrime. For the crypto industry, this means compliance and KYC requirements will continue to intensify—especially the monitoring pressure on stablecoin issuers regarding “abnormally frequent P2P withdrawals” and “large-batch deposits to centralized addresses.”

For businesses, the most direct responses are: strengthen identity verification for remote IT employees, including video interviews (North Korean IT workers typically request written communication to avoid being seen on camera), tracking delivery addresses for physical devices, and analyzing long-term patterns of IP behavior and work time zones. Fortune’s report cites industry consultants’ estimates that there are still laptop farms operating in the United States that have not yet been uncovered, and the number of accomplices involved is far greater than the cases already brought to prosecution.

This article North Korean IT workers laptop farm scam: U.S. accomplices sentenced to 7–9 years, $2.8 billion earned over two years first appeared in Lian News ABMedia.