Authorities seize financial accounts, websites, and equipment in unprecedented enforcement action
WASHINGTON — The U.S. Department of Justice announced Tuesday the results of a comprehensive investigation spanning 16 states that has exposed an elaborate scheme by North Korean operatives to infiltrate American companies through fraudulent remote employment, generating millions in illicit revenue for the Democratic People’s Republic of Korea (DPRK) regime.
The coordinated enforcement action resulted in two federal indictments, one arrest, the seizure of 29 financial accounts and 21 fraudulent websites, searches of 29 suspected “laptop farms,” and the recovery of approximately 200 computers used in the operation.
Investigation Overview
According to court documents unsealed in federal courts in Massachusetts and Georgia, the schemes involved North Korean nationals using stolen and fabricated American identities to secure remote information technology positions with more than 100 U.S. companies, including multiple Fortune 500 corporations.
“These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” said Assistant Attorney General John A. Eisenberg of the Department’s National Security Division.
The investigation revealed that North Korean actors were assisted by co-conspirators in the United States, China, United Arab Emirates, and Taiwan to successfully penetrate American corporate networks and, in some instances, steal sensitive information including export-controlled military technology and virtual currency.
Massachusetts Case Details
In the District of Massachusetts, authorities arrested U.S. national Zhenxing “Danny” Wang of New Jersey on a five-count indictment alleging his participation in a multi-year fraud scheme that generated more than $5 million in revenue. The indictment also charges Chinese nationals Jing Bin Huang, Baoyu Zhou, Tong Yuze, Yongzhe Xu, Ziyou Yuan, and Zhenbang Zhou, along with Taiwanese nationals Mengting Liu and Enchia Liu.
Court documents allege that from approximately 2021 through October 2024, the defendants compromised the identities of more than 80 U.S. persons to obtain remote employment at over 100 American companies. The scheme allegedly caused victim companies to incur at least $3 million in legal fees, network remediation costs, and other damages.
U.S. Attorney Leah B. Foley for the District of Massachusetts stated, “The threat posed by DPRK operatives is both real and immediate. Thousands of North Korean cyber operatives have been trained and deployed by the regime to blend into the global digital workforce and systematically target U.S. companies.”
According to the indictment, the operation involved creating shell companies with corresponding websites and financial accounts, including Hopana Tech LLC, Tony WKJ LLC, and Independent Lab LLC, to provide apparent legitimacy for overseas IT workers. The defendants allegedly established laptop farms at U.S. residences, using keyboard-video-mouse (KVM) switches to enable remote access by North Korean operatives to company-provided equipment.
Defense Contractor Breach
The investigation revealed that IT workers operating under false identities gained unauthorized access to sensitive data from a California-based defense contractor developing artificial intelligence-powered military equipment. Between January and April 2024, an overseas co-conspirator allegedly accessed technical data controlled under International Traffic in Arms Regulations (ITAR).
Georgia Cryptocurrency Case
In the Northern District of Georgia, federal prosecutors unsealed a five-count indictment charging four North Korean nationals—Kim Kwang Jin, Kang Tae Bok, Jong Pong Ju, and Chang Nam Il—with wire fraud and money laundering in connection with virtual currency thefts valued at over $900,000.
U.S. Attorney Theodore S. Hertzberg for the Northern District of Georgia said, “The defendants used fake and stolen personal identities to conceal their North Korean nationality, pose as remote IT workers, and exploit their victims’ trust to steal hundreds of thousands of dollars.”
According to court documents, the defendants traveled to the United Arab Emirates and worked as a coordinated team. Kim Kwang Jin, using a stolen American identity, and Jong Pong Ju, operating under the alias “Bryan Cho,” were hired by an Atlanta-based blockchain research company and a Serbian virtual token company, respectively.
After gaining employer trust and access to virtual currency assets, the defendants allegedly executed thefts in February and March 2022. Jong Pong Ju is accused of stealing approximately $175,000 in virtual currency, while Kim Kwang Jin allegedly modified smart contract source code to steal approximately $740,000. The stolen funds were subsequently laundered through the virtual currency mixer Tornado Cash, according to prosecutors.
Multi-State Enforcement Operations
Between June 10-17, 2025, the FBI executed searches at 21 premises across 14 states hosting suspected laptop farms, coordinated by the FBI Denver Field Office. These operations resulted in the seizure of approximately 137 laptops and were conducted in connection with ongoing investigations by U.S. Attorney’s Offices in Colorado, Eastern Missouri, and Northern Texas.
Assistant Director Brett Leatherman of the FBI’s Cyber Division emphasized the scope of the threat: “North Korean IT workers defraud American companies and steal the identities of private citizens, all in support of the North Korean regime.”
Revenue Generation Scale
According to a May 2022 advisory from the FBI, Department of Treasury, and Department of State, individual North Korean IT workers have been known to earn up to $300,000 annually, with the collective operation generating hundreds of millions of dollars each year for designated entities including the North Korean Ministry of Defense and other organizations directly involved in weapons programs.
The Department of State has offered rewards of up to $5 million for information supporting international efforts to disrupt DPRK illicit financial activities, including cybercrimes, money laundering, and sanctions evasion.
Ongoing Initiative
These enforcement actions represent the latest developments in the Department of Justice’s “DPRK RevGen: Domestic Enabler Initiative,” a joint effort by the National Security Division and FBI Cyber and Counterintelligence Divisions targeting North Korean illicit revenue generation schemes and their U.S.-based facilitators.
Assistant Director Roman Rozhavsky of the FBI Counterintelligence Division noted, “North Korean IT workers posing as U.S. citizens fraudulently obtained employment with American businesses so they could funnel hundreds of millions of dollars to North Korea’s authoritarian regime.”
Corporate Vigilance Recommendations
Federal authorities have published multiple advisories warning companies about red flag indicators of potential North Korean IT worker infiltration, including the use of stolen identities, proxy computers, and false websites. The FBI has urged all U.S. companies employing remote workers to maintain heightened vigilance against these sophisticated threats.
The charges described in the indictments are allegations. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
