The Hidden Threat in Your Remote Team: How North Korean Operatives Infiltrate U.S. Companies

The North Korean IT Worker Scheme

North Korea has been running a sophisticated operation to place remote workers at U.S. companies, funneling money back to its regime and sometimes stealing sensitive information. This scheme relies on laptop farms – physical locations in the U.S. where North Korean IT teams trick companies into believing their remote workers are based locally.

North Korean IT workers in an undisclosed location. Source: Dept. of Justice

How the Operation Works

Laptop farms provide both a U.S. address for mailing laptops and a U.S. internet connection. Once equipped with remote access software, workers can log into these laptops from anywhere in the world. At least 10 alleged U.S.-based facilitators have been federally charged, including an active-duty U.S. Army member, for hosting these farms, laundering payments, and moving proceeds through shell companies.

In one case, American citizen Kejia "Tony" Wang traveled to China in 2023 to meet with co-conspirators and IT workers. Laptops from over 100 U.S. companies, including a California-based defense contractor, were sent to Wang, who also set up shell companies to route wages earned overseas. Wang pleaded guilty to wire fraud, money laundering, and identity theft charges.

"We believe there are many more hundreds of people out there who are participating in these schemes," said FBI assistant director Rozhavsky. "They could never pull this off if they didn't have willing facilitators in the U.S. helping them."

Money Laundering Networks

Once illicit money is earned, North Korean teams rely on Chinese money laundering networks to consolidate and convert it to government-issued currency. These networks operate across southern China and Southeast Asia, including Myanmar, Hong Kong, Macao, and China's Fujian province.

"Every bad guy you can think of is using Chinese money launderers. Now, this is how money moves internationally," said Nick Carlsen, senior investigator at TRM Labs and former FBI intelligence analyst.

Since Kim Jong Un took power in 2011, North Korea has expanded its cybercrime portfolio beyond IT work, pulling in billions through cryptocurrency thefts – including a record $1.5 billion heist last year. These operations have made Kim wealthier and more geopolitically relevant, validating his view of cyberoperations as an "all-purpose sword."

The Growing Threat

North Korean IT teams are now subcontracting work to developers in Pakistan, Nigeria, and India, expanding into fields like customer service, financial processing, insurance, and translation services – roles that receive less scrutiny than software development.

"Unless you have external information, you might not know they're North Korean," said Michael Barnhart, who leads nation-state threat intelligence at DTEX. "They're trying to move themselves into middle management, and it's working."

This expansion raises concerns that North Korean workers could cause real-world harm. In 2021, a North Korean hacking team infected a Kansas hospital's computer systems with ransomware, crippling servers and demanding $100,000 in bitcoin. The hospital paid.

Barnhart helped investigate this hack and discovered that North Korea's malicious hacking teams sometimes cooperate with IT teams to support their missions. "It started off as revenue generation, but the lines are getting blurrier and blurrier. If the time comes, they've got chess pieces inside organizations all over the world – and they'll start acting from the inside," he warned.

U.S. Response and Challenges

The U.S. government has taken steps to address the threat, but experts warn it's intensifying as workers' use of AI continues to scale globally. On Thursday, the Treasury Department sanctioned six individuals and two entities for their roles in DPRK government-orchestrated IT worker schemes.

Last fall, federal authorities announced a wave of criminal indictments, forfeitures, sanctions, and asset freezes targeting North Korea's illicit cyber activity. In October, the Treasury Department severed Cambodia-based Huione Group from the U.S. financial system, alleging it laundered billions in illicit proceeds.

However, cybersecurity analysts say U.S. enforcement tools are struggling to keep pace with the scale and sophistication of Pyongyang's cyberoperations. Many individuals involved operate from countries without extradition agreements with the U.S., placing them beyond the reach of U.S. law enforcement.

"It's a whack-a-mole game. It's virtually impossible to fully disrupt this," Carlsen said. "It's just a never-ending process."

North Korean leader Kim Jong Un with soldiers in North Pyongan province. Source: Korean Central News Agency via Getty Images

The Human Cost

Thousands of workers remain out of reach, most based in China. "These are the smartest people in North Korea. That's kind of the tragedy of it," Carlsen said. "They've taken their best and brightest and made them criminals."

North Korea has denied any wrongdoing, with its foreign minister condemning U.S. actions as "an absurd smear campaign" targeting the "non-existent 'cyber threat' from the DPRK." In response to questions about Chinese nationals' involvement, Chinese Embassy spokesperson Liu Pengyu said, "We oppose false allegations and smears which have no factual ground at all."

Lawmakers are seeking stronger defenses. Sens. Gary Peters, D-Mich., and Mike Rounds, R-S.D., introduced the Protecting America from Cyber Threats Act, which would renew key cybersecurity authorities for another decade and encourage private companies to share information about cyberthreats with the federal government.