For years, the North Korean government has found a burgeoning source of sanctions-evading revenue by tasking its citizens with secretly applying for remote tech jobs in the West. A newly revealed takedown operation by American law enforcement makes clear just how much of the infrastructure used to pull off those schemes has been based in the United States—and just how many Americans’ identities were stolen by the North Korean impersonators to carry them out.
On Monday, the Department of Justice announced a sweeping operation to crack down on US-based elements of the North Korean remote IT workers scheme, including indictments against two Americans who the government says were involved in the operations—one of whom the FBI has arrested. Authorities also searched 29 “laptop farms” across 16 states allegedly used to receive and host the PCs the North Korean workers remotely access, and seized around 200 of those computers as well as 21 web domains and 29 financial accounts that had received the revenue the operation generated. The DOJ’s announcement and indictments also reveal how the North Koreans didn’t merely create fake IDs to insinuate themselves into Western tech firms, according to authorities, but allegedly stole the identities of “more than 80 US persons” to impersonate them in jobs at more than a hundred US companies and funnel money to the Kim regime.
“It’s huge,” says Michael Barnhart, an investigator focused on North Korean hacking and espionage at DTEX, a security firm focused on insider threats. “Whenever you have a laptop farm like this, that’s the soft underbelly of these operations. Shutting them down across so many states, that’s massive.”
In total, the DOJ says it’s identified six Americans it believes were involved in a scheme to enable the North Korean tech worker impersonators, though only two have been named and criminally charged—Kejia Wang and Zhenxing Wang, both based in New Jersey—and only Zhenxing Wang has been arrested. Prosecutors accuse the two men of helping to steal the identities of scores of Americans for the North Koreans to assume, receiving laptops sent to them by their employers, setting up remote access for North Koreans to control those machines from across the world—often enabling that remote access using a hardware device called a “keyboard-video-mouse switch” or KVM—and creating shell companies and bank accounts that allowed the North Korean government to receive the salaries they allegedly earned. The DOJ says the two American men also worked with six named Chinese coconspirators, according to the charging documents, as well as two Taiwanese nationals.
To create the cover identities for the North Korean workers, prosecutors say the two Wangs accessed the personal details of more than 700 Americans in searches of private records. But for the individuals the North Koreans impersonated, they allegedly went far further, using scans of the identity theft victims’ drivers’ licenses and Social Security cards to enable the North Koreans to apply for jobs under their names, according to the DOJ.
It’s not clear from the charging documents just how those personal documents were allegedly obtained. But DTEX’s Barnhart says North Korean impersonation operations typically obtain Americans’ identifying documents from dark web cybercriminal forums or data leak sites. In fact, he says the 80-plus stolen identities cited by the DOJ represent a tiny sample of thousands of US IDs he’s seen pulled in some cases from North Korean hacking operations’ infrastructure.