This month, a federal choose in Massachusetts sentenced Kejia “Tony” Wang, a 42-year-old husband and father from New Jersey, to 9 years in jail for spearheading what prosecutors described as a world fraud operation that positioned North Korean IT staff in tech jobs at greater than 100 American corporations—together with Fortune 500 corporations.
Over the course of three years, Wang’s community stole the identities of greater than 80 Individuals, solid pretend social safety playing cards and California driver’s licenses with pictures of the North Korean operatives, filed false employment varieties with the Division of Homeland Safety, and doctored tax paperwork that went to the IRS and Social Safety Administration. The scheme, through which the North Koreans obtained employed utilizing Individuals’ stolen identities, generated greater than $5 million in wage funds from the sufferer corporations. The next fallout as soon as it was uncovered precipitated no less than $3 million in authorized charges and laptop clean-up prices at companies in 28 states and the District of Columbia, courtroom data present. One other participant within the scheme, Zhenxing Wang, 39—no relation to Kejia Wang, however a buddy since each males arrived from China practically 20 years in the past—was sentenced to just about eight years in jail. The courtroom ordered each to forfeit $600,000, collectively, that they had been paid from their half within the fraud.
The Wang jail phrases deliver the variety of Individuals convicted for aiding North Korean chief Kim Jong Un’s authorities to no less than seven since final yr. The group features a former active-duty U.S. Military soldier, an Arizona girl, a nail technician from Maryland, and two males from California. All earned 1000’s of {dollars} for serving to North Koreans gather tens of millions in wage for doing distant IT jobs. The wave of sentencing started in 2025 with a responsible plea by Christina Chapman, a 51-year-old girl who cared for 90 laptops in her residence whereas serving to her North Korean handlers get jobs at 309 corporations, raking in $17.1 million. The salaries are diverted to Kim’s authorities to pay for nuclear weapons growth, officers say.
“North Korea turns around and uses the money it steals through these operations to fund the unlawful development of weapons of mass destruction—nuclear bombs, for example, and ballistic missiles with which to target the United States and our allies,” Jonathan Fritz, principal deputy assistant secretary of state for East Asia Pacific affairs, mentioned at a UN committee assembly on the North Korean fraud scheme in January.
The latest spate of jail phrases is supposed to be a deterrent to curious Individuals who see collaborating within the scheme as a get-money-quick possibility, however investigators say that is solely the tip of the iceberg on the subject of the U.S. muscle undergirding the fraud scheme. Some American facilitators are subtle, some are naive, and others walked away from the scheme years in the past. Nonetheless, involvement on this fraud isn’t informal. American identities are nonetheless circulating via the North Korean fraud equipment after they’ve utterly moved on with their lives, investigators say.
The scheme depends on two forms of American identities. Within the Wang case, they had been harvested from background-check databases and connected to solid paperwork with out the actual Individuals’ information. In others, identities are willingly rented by individuals who may go even additional by exhibiting up for interviews, accepting laptops, giving urine samples or blood for drug assessments, or sitting in places of work pretending to work. They take a reduce of the wage in trade for offering cowl to the North Korean operators to allow them to move as American IT staff. In follow, investigators say, the 2 classes blur. Some facilitators are unwitting victims whereas others declare identification theft after the actual fact. To the North Korean IT staff, each are interchangeable.
The North Korean IT employee scheme, through which operatives get distant tech jobs at U.S. and European corporations, is a vital a part of a broad marketing campaign of malfeasance by the Democratic Folks’s Republic of Korea (DPRK) that has generated about $2.8 billion prior to now two years to assist fund the nation’s nuclear weapon ambitions, in keeping with the UN’s Multilateral Sanctions Monitoring Committee. The committee, which tracks DPRK sanctions violations and evasion ways, revealed in January that the scheme has now victimized 40 nations across the globe. A big portion of that complete is the results of crypto theft, however the IT employee scheme reliably generates $250 million to $600 million per yr in fraudulent salaries, the UN has discovered.
“North Koreans are taking American jobs, and they’re stealing cryptocurrency from American owners of said cryptocurrency,” mentioned Fritz. “A North Korean IT worker can live in Laos, steal the identity of a Ukrainian online, and then use that identity to defraud a U.S. company into hiring them—often for remote jobs with salaries in the hundreds of thousands of dollars range.”
Synthetic intelligence has added a completely new increase to the scheme. On the UN committee assembly, Evan Gordenker of cybersecurity agency Palo Alto Networks described a tactic his workforce had noticed. In real-time, AI transformed a North Korean accent right into a convincing American-sounding voice throughout dwell job interviews. Gordenker mentioned the North Korean regime has constructed an industrial hiring machine through which getting a job is itself the job, with specialists for crafting resumes, sitting for interviews, and others who do the precise work as soon as a place is secured.
“Your citizens are competing against a mechanized system that has been honed over years of training to exploit how we hire,” Gordenker advised delegates on the UN committee assembly in January. “Until we change the fundamental system of hiring, I don’t think there is anything we can do centrally to make sure that this doesn’t happen.”
Moreover, because the U.S. authorities’s priorities have shifted towards Venezuela, China, and Iran, monitoring DPRK infiltration might see fewer sources, mentioned Michael “Barni” Barnhart, lead investigator from cybersecurity agency DTEX, and an skilled in monitoring DPRK IT staff. The U.S. individuals play a key function within the scheme and far in regards to the extent of their work is unclear. Barnhart mentioned he usually sees various ranges of participation by Individuals in investigations. Some work as identification brokers—offering the pretend paperwork, names, and figuring out info to North Koreans, whereas others agree to seem on digicam for video interviews. Others present as much as take drug assessments or go into the workplace to fill a seat and comply with a return-to-office directive whereas their work duties are accomplished by North Koreans.
“We will immediately knee-jerk assume they are a victim,” mentioned Barnhart in regards to the American conspirators. “And then once we start peeling back the onion, it’s like, ‘Oh, you’re enjoying this.’”
Cybersecurity corporations, fintechs, and crypto-related corporations see quite a few pretend functions from DPRK staff, mentioned Barnhart. Insider intelligence agency DTEX, the place Barnhart works, had 87 North Korean IT staff apply for jobs lately, he added.
The Sting
Barnhart and the opposite investigators in his community have been monitoring a number of American identities for years which have circulated via the scheme and, regardless of being flagged by cybersecurity corporations and legislation enforcement, have remained energetic as of final month. These actual identities supply cowl, a real social safety quantity, and an identification veneer that the DPRK IT staff can use of their schemes to get jobs, even when the actual American, who may need initially lent their identification to the scheme, has stopped collaborating.
Barnhart and investigators he works with—a lot of whom work below false identities to keep away from retaliation—arrange an operation in 2024 to attempt to lure DPRK IT staff and American facilitators into the open to hint their ways and strategies. A companion created a entrance firm and posted some job listings. It wasn’t lengthy earlier than a candidate utilized claiming to hail from Austin, Texas. On video calls nonetheless, the candidate didn’t present any familiarity with typical Texan tradition.
“There was nothing about football, nothing about barbecue,” mentioned Barnhart, who spoke throughout an DTEX panel in San Francisco in March. “You just peel back the onion a little bit, and you can see that the lies fall apart. Everything’s an inch deep.”
Barnhart and his community wished to see how far the scheme would stretch. They advised the employee he wanted to return on-site for identification verification the place they anticipated the ruse to break down.
As an alternative, a younger man named “David” walked into the power in particular person, offered an actual government-issued ID, signed the paperwork, and handed the screening. David, whose final title Fortune is withholding for privateness causes, was not the identical particular person from the video interviews, he was a neighborhood proxy—an actual American lending his identification to another person he probably by no means met face-to-face, mentioned Barnhart.
“We thought it was a stolen identity until the real dude showed up,” Barnhart mentioned. “That’s where we got to the facilitator stuff.”
The David who confirmed up claiming to be the applicant seemed to be a school scholar on the time. Barnhart surmised he was choosing up some additional money in a aspect deal he may not have really understood.
“When he was doing this with us, he was in college,” mentioned Barnhart. “I bet he was just, like, a poor college kid.”
However the operation didn’t finish with David. When Barnhart’s operation went to ship a “company laptop” to David in Texas, David mentioned he’d moved and requested that or not it’s routed to Moorhead, Minnesota as an alternative. There, a distinct facilitator, a person named “Aaron,” accepted the bundle below David’s title, mentioned Barnhart. Aaron, whose final title Fortune can be withholding, obtained the laptop computer, set it up, and organized it so a North Korean IT employee might carry out the job duties. Barnhart’s workforce had digital forensics noting each step.
“We have confirmed. We sent hardware and infrastructure to his home and it was accepted,” Barnhart mentioned. “Through the partner company we were working with, we were able to see forensics on the laptop to show it was operational at his location.”
A number of cybersecurity operators and legislation enforcement had been alerted to Aaron and David’s roles, however so far as Barnhart is conscious, motion has not but been taken. Barnhart suspects that their work contained in the scheme could be so low stage that it doesn’t meet the brink for legislation enforcement working with restricted sources.
Fortune corresponded with David and Aaron after being given their contact info from Barnhart.
David denied a number of occasions through LinkedIn messages that he ever accepted a laptop computer on behalf of anybody else and mentioned he was unaware of any employment scheme. After being contacted by Fortune with questions, David mentioned his identification was stolen and that he has found 10 jobs linked to his identification since 2021 when he was 19 years previous.
“I actually went ahead and checked my IRS transcripts over the weekend and noticed that there were tons of w2s dating back to when I was 19 that I never applied or work [sic] for,” David wrote in a LinkedIn message this month. “Someone definitely stole my identity back then and applied to jobs without my knowledge. Many had addresses from a completely different state. I went ahead and filled out the form 14039 to report it to the [IRS]. I also reported it to FTC.”
Aaron denied any information of a laptop computer or North Korean IT employee scheme.
No matter how a lot the American facilitators know or don’t know, the DPRK scheme depends on their participation, prosecutors mentioned.
“North Korean IT worker schemes would not be successful without U.S.-based facilitators,” mentioned Assistant Legal professional Normal John Eisenberg in an April sentencing memo. The facilitators “assist overseas remote IT workers by operating laptop farms, creating fictitious front companies and associated financial accounts, defrauding U.S. companies through the use of false and fake identification documents, and pocketing substantial sums of money for their roles.”
Identities that By no means Die
Whether or not or not Aaron or David had been a part of a scheme wittingly or unwittingly, their identities are nonetheless circulating via the North Korean IT employee pipeline, mentioned Barnhart.
It units the North Korean scheme aside from different garden-variety frauds as a result of after a facilitator walks away, will get arrested, or simply stops collaborating, their identities preserve working. By mid-2024 as an illustration, Barnhart thought he’d seen the final of Aaron and David. In June 2025, the FBI introduced it had performed 29 raids throughout 16 states, and had seized 21 fraudulent web sites that had been a part of the scheme.
“I thought I’d never see [them] again, and moved on,” mentioned Barnhart.
Then in winter 2026, one other investigator colleague texted him a screenshot exhibiting that the 2 names had been listed as board members of an American employment firm for tech staff. The corporate serves as a entrance for North Koreans within the scheme in order that they look like vetted, background-checked staff, when in actuality they use stolen or pretend identities shielding their identities as North Korean operatives.
“I was like, dammit,” mentioned Barnhart.
Barnhart mentioned his workforce has additionally pinpointed a 3rd identification floating round that additionally goes by “David” however with a distinct final title. The particular person behind all three identities, the one really doing the work and logging into the computer systems from overseas, was tied to a single North Korean operative Barnhart and different investigators had been monitoring for years.
The true Davids and Aaron might have walked away from no matter association they as soon as had however their names and digital footprints have taken on a lifetime of their very own contained in the North Korean equipment. Pretend LinkedIn profiles with their names have been created and deleted, and resumes with their identities nonetheless land on recruiters desks. The pretend Aaron and the pretend Davids are nonetheless “very alive, very well, and still doing IT work,” mentioned Barnhart.
The true individuals behind these identities “might not even know they’re still part of the scam,” mentioned Barnhart.
Sufferer or Conspirator?
The David-Aaron problem illustrates what could be a murky line between cybersecurity analysis, legislation enforcement, and accountable hiring. It’s arduous to attract a clear line and it’d shift over time.
Mitchell Inexperienced, a supervisor at Aon’s Cyber Options unit who spoke on the panel with Barnhart, mentioned he has labored on greater than a dozen circumstances which have uncovered and fired distant North Korean IT staff employed at corporations. He’s seen a variety of facilitator involvement.
“Some of them are very smart, and they’re getting really involved in the operation and they’re essentially a force multiplier,” Inexperienced mentioned. “We have others who are very unassuming.”
The grooming course of will also be intensive, Inexperienced mentioned. North Korean IT staff make investments closely into constructing relationships with American conspirators, generally over months, so as to domesticate belief.
“We’ve seen them actually, in some cases, helping the facilitators with homework,” he mentioned. “There’s a lot of social engineering that happens on that side, too.”
Some DPRK staff have actually leaned in on American company tradition and norms. Barnhart mentioned he’s seen staff notice they’re about to be caught and announce that they’re taking medical go away. U.S. corporations are usually restricted from contacting staff who’re on protected go away. In a single occasion, an worker obtained one other six paychecks as a result of he understood he might use that point to generate further income for the scheme, mentioned Barnhart.
However for each Kejia Wang who receives a near-decade jail sentence, there are facilitators who had been by no means raided, by no means charged, and whose stolen or borrowed identities stay completely lodged in an operation they might have had a hand in throughout a second of weak point. On the UN occasion, Palo Alto’s Gordenker framed the stakes in human phrases. The distant jobs that North Korean operatives are stealing—versatile, well-paying positions that may be completed from residence—are precisely the sort of work that Individuals with disabilities, caregiving duties, or restricted mobility rely on.
“These are typically well-paying jobs, sometimes jobs that can be taken from home,” Gordenker mentioned. “Folks that have issues with accessibility, folks that have children that they must care for, folks that are caring for elders—these are the types of jobs that would be gold mines for those families.”
