The United States has detailed a scheme that enabled North Korean IT workers to secure remote jobs at American companies by using stolen and fabricated identities. According to the Department of Justice, four US citizens and one Ukrainian national have pleaded guilty to roles in the operation, which allowed North Korean workers to infiltrate at least 136 firms across fields such as technology, finance, education, and entertainment. Court documents state that the scheme generated more than two million dollars for North Korea in violation of US sanctions.
Prosecutors said the network operated between 2019 and 2022 and relied on US-based facilitators who helped North Korean workers pass employer vetting procedures. The facilitators provided stolen identities, completed onboarding tasks, and conducted drug tests on behalf of the overseas workers. They also hosted company-issued laptops in their homes so that network connections appeared to originate in the United States. Remote access tools were installed on those devices, allowing the workers abroad to perform their jobs without drawing attention to their true location.
The Ukrainian national admitted to supplying stolen identity information that North Korean workers used to gain access to at least 40 companies. According to the government, he managed significant parts of the network, handled communications, and transferred earnings through various financial channels. He pleaded guilty to wire fraud conspiracy and aggravated identity theft and agreed to forfeit more than one million dollars in cryptocurrency and other assets. Prosecutors said the forfeiture reflects proceeds tied directly to the fraud.
One of the US defendants, a former Army service member, acknowledged receiving more than fifty thousand dollars for hosting devices, completing employment steps for the workers, and helping them circumvent corporate security procedures. Other defendants carried out similar tasks, including receiving paychecks on behalf of the workers and transferring funds through US bank accounts. The Department of Justice noted that these activities enabled the workers to remain undetected for long periods of time.
According to US officials, the operation provided North Korea with revenue that can support government programs, including cyber operations. Authorities have previously warned that the country deploys IT workers abroad to earn foreign currency and gain access to corporate networks. These workers typically present themselves as freelancers and use VPN services, remote access tools, and identity information purchased on criminal marketplaces to avoid detection. The Justice Department said the dismantling of this network reflects ongoing efforts to disrupt these practices.
Security analysts report that schemes involving remote IT work create challenges for employers because the individuals involved often possess legitimate technical skills and can pass standard hiring screens. Once inside a company’s systems, they may gain access to code repositories, infrastructure tools, or sensitive operational data. Analysts recommend that companies strengthen identity verification steps, review access privileges for remote workers, and monitor for signs of device sharing or unusual network routing.
The Department of Justice stated that it is continuing to investigate related activity and is sharing information with affected companies. US officials encouraged organisations that suspect fraudulent hiring or identity misuse to report the matter to law enforcement. They said the case highlights the importance of verifying remote-work identities and reviewing security protocols for distributed teams.