Federal authorities have uncovered a massive cyberfraud scheme in which North Korean hackers exploited remote IT work to defraud U.S. companies, resulting in indictments, seizures, and arrests. The Department of Justice (DOJ) revealed that North Korean operatives used false identities to infiltrate over 100 U.S. companies, including Fortune 500 firms, with the assistance of co-conspirators in the U.S., China, the United Arab Emirates, and Taiwan. The scheme spanned from 2021 to early 2024, allowing the DPRK to funnel hundreds of millions of dollars to its authoritarian regime while evading U.S. sanctions.
One of the major schemes involved North Korean IT workers using false identities to gain employment with a blockchain research and development company in Atlanta, Georgia, and stealing virtual currency worth over $900,000. The DOJ emphasized that these fraudulent activities are part of a broader effort to fund North Korea’s weapons programs, which the U.S. has imposed strict sanctions on. Assistant Attorney General John A. Eisenberg of the DOJ’s National Security Division stated that these schemes target U.S. companies and are designed to evade sanctions while sustaining the DPRK’s illicit activities.
The DOJ unsealed a five-count indictment against Zhenxing Wang, a U.S. national of Chinese descent living in New Jersey, who was arrested. Alongside Wang, other co-conspirators, including Chinese nationals and U.S. citizens, were also charged. The indictment alleges that the defendants obtained remote IT work with U.S. companies and generated over $5 million in revenue, with some of the funds eventually being transferred to North Korea via fraudulent financial accounts.
The FBI and Defense Criminal Investigative Service (DCIS) seized 17 web domains and 29 financial accounts used in the scheme, which were later identified as channels for laundering proceeds from the thefts. These seizures underscore the U.S. government’s efforts to disrupt North Korean cyber operations and prevent such schemes from continuing to exploit U.S. businesses.
The investigation also revealed that some of the defendants used stolen personal identities to create fake profiles and gain trust with their employers, enabling them to access sensitive data and financial systems. One of the companies targeted was a defense contractor developing artificial intelligence-powered equipment, which had access to classified International Traffic in Arms Regulations (ITAR) data. The DOJ emphasized that the stolen data could have had serious implications for U.S. national security.
Additionally, the FBI executed searches of 21 premises across 14 states, recovering 137 laptops used as part of the laptop farms that enabled remote access to company systems. These findings highlight the scale of the operation and the coordinated effort between North Korean hackers and co-conspirators to exploit the global IT workforce.
As part of the ongoing investigation, the DOJ also charged four North Korean nationals with theft and money laundering, with all four currently at large. The FBI’s Counterintelligence Division reiterated that North Korean cyber operatives have been trained to blend into the global digital workforce, systematically targeting U.S. companies for economic and strategic gain. The DOJ expressed its resolve to continue prosecuting any actors involved in such schemes, emphasizing the need to protect U.S. businesses from being inadvertently used to fund the DPRK’s unlawful ambitions.