- What: Two US nationals were sentenced to 108 and 92 months for running laptop farms that let North Korean IT workers pose as US-based remote employees.
- Impact: The scheme infiltrated over 100 US companies across 16 states using 80+ stolen identities, generating more than $5 million for the DPRK and roughly $3 million in damages.
- Fix / mitigation: Verify identity at hire with live checks, watch new-hire devices for remote-access tooling and address mismatches, and gate sensitive data by role.
- Who's at risk: Any company hiring remote technical staff, especially those touching ITAR-controlled or otherwise sensitive data.
Kejia Wang did not hack anyone. He hosted laptops. Company-issued machines, shipped by unsuspecting US employers to what they thought were new remote hires, sat in homes he controlled while North Korean IT workers logged in from the other side of the world. For that, he was sentenced to 108 months, nine years, in federal prison. (BleepingComputer.)
His co-defendant Zhenxing Wang got 92 months. A Ukrainian national, Oleksandr Didenko, got five years. None of them wrote an exploit. They ran a hiring fraud that turned the corporate onboarding process into a nation-state access channel.
How the scheme worked
From 2021 through October 2024, the operation used the stolen identities of more than 80 US citizens to apply for remote technical jobs. It worked. Over 100 US companies, including Fortune 500 firms across 16 states, hired the fake applicants. Each new employer shipped a laptop to the address on file, which routed to a laptop farm hosted in US homes. Once the machine was online, the operators enabled remote access so the actual North Korean workers could reach corporate networks from an apparently American IP.
Shell companies including Tony WKJ LLC, Hopana Tech LLC, and Independent Lab LLC moved the money. The scheme generated over $5 million for the DPRK and an estimated $3 million in damages to the companies that hired them. Some of those workers reached ITAR-controlled data.
This did not defeat a firewall. It defeated a hiring pipeline. The malicious insider was a legitimately payrolled employee whose real operator was in Pyongyang.
Why this keeps working
The onboarding process is a trusted path by design. HR verifies a resume, IT provisions a laptop, and access follows the org chart, not a threat model. Microsoft Threat Intelligence has warned that these operatives are now using AI to shorten the time it takes to manufacture convincing fake identities, which means the volume goes up while the effort goes down. The State Department is offering up to $5 million for information on nine remaining fugitive defendants, which tells you this is not a closed case.
The RedEye take
Everyone is scanning for the CVE and nobody is scanning the payroll. This is social engineering against your recruiters and your IT provisioning team, and most organizations have zero detection for the failure mode of a real, badged, paid employee who is a proxy for a hostile government. The control plane here is identity verification at hire and device behavior after it, not another endpoint agent. If your security program ends at the perimeter, the North Korean worker is already inside it, on the payroll, with a W-2.
What defenders should learn
- Verify identity as a live event at hire: real-time video that matches government ID, and independent validation of the address a laptop will ship to.
- Watch new-hire devices for laptop-farm signals: remote-access and KVM-over-IP tooling installed early, logins that geolocate away from the shipping address, and impossible travel between the payroll address and the source IP.
- Gate sensitive and ITAR-controlled data by role and tenure, so a brand-new remote hire cannot reach it on day one.
- Bring finance into the threat model: payments routing to freshly created LLCs, or address changes on payroll shortly after hire, are fraud signals security teams rarely see.
- Assume AI-accelerated volume. Treat identity verification as a continuous control, not a one-time checkbox at onboarding.
Caver correlates a new employee's authentication geography against their HR-of-record location, flags remote-access tooling appearing on a freshly provisioned device, and surfaces impossible-travel between the payroll address and the login source, so a laptop farm looks like exactly what it is.
The workers were real employees. The paychecks were real. The only fake thing was who was sitting at the keyboard, and for over 100 companies, nobody was looking.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us