Identities of More Than 80 Americans Stolen for North Korean IT Worker Scams
The North Korean government has long found a lucrative way to evade sanctions by secretly applying for remote tech jobs in the West, using stolen identities and infiltrating US-based companies. A recent takedown operation by American law enforcement has shed light on just how extensive this infrastructure is in the United States, with over 80 American identities being stolen by North Korean impersonators.
On Monday, the Department of Justice announced a sweeping operation to crack down on US-based elements of the North Korean remote IT worker scheme. Indictments were issued against two Americans who authorities say were involved in the operations: Kejia Wang and Zhenxing Wang, both based in New Jersey. The FBI has arrested one of the men, Zhenxing Wang.
Authorities also searched 29 "laptop farms" across 16 states allegedly used to receive and host PCs that North Korean workers remotely access. They seized around 200 computers as well as 21 web domains and 29 financial accounts generated by the operation.
The DOJ's announcement reveals how the North Koreans didn't just create fake IDs, but allegedly stole the identities of more than 80 US persons to impersonate them in jobs at over a hundred US companies. "It's huge," says Michael Barnhart, an investigator focused on North Korean hacking and espionage at DTEX, a security firm.
"Whenever you have a laptop farm like this, that's the soft underbelly of these operations. Shutting them down across so many states, that's massive."
The two American men accused of helping to steal the identities of scores of Americans for the North Koreans to assume worked with six named Chinese coconspirators and two Taiwanese nationals.
Prosecutors accuse the two men of receiving laptops sent to them by their employers, setting up remote access for North Koreans to control those machines from across the world, and creating shell companies and bank accounts that allowed the North Korean government to receive salaries. The DOJ says the two American men also accessed personal details of more than 700 Americans in searches of private records.
But for the individuals the North Koreans impersonated, they allegedly went far further, using scans of the identity theft victims' drivers' licenses and Social Security cards to enable the North Koreans to apply for jobs under their names. It's not clear how these personal documents were obtained, but Barnhart says North Korean impersonation operations typically get them from dark web cybercriminal forums or data leak sites.
"They have a stable of these," says Barnhart. "Any place a criminal is going to get an ID, they're just going to piggyback, because then they don't even have to carry out the breach. It's already out there."
Barnhart also notes that North Korean impersonators often screen their stolen identities for criminal backgrounds and choose to impersonate Americans based in states without income tax to maximize their earnings.
Distinct from the DOJ's charges, prosecutors announced that the FBI had carried out searches of 21 other suspected laptop farms across 14 US states and seized approximately 137 PCs used in North Korean remote worker schemes. In two cases, North Koreans used insider access to steal over $900,000 worth of funds, including around $740,000 stolen from one Atlanta-based company.
While most of the North Korean impersonation schemes were focused on money, prosecutors also note that one company was penetrated by the North Korean workers, a California-based defense contractor focused on AI-related technology. In this instance, the government claims the North Korean impersonators accessed and likely stole technical data protected under export controls.
"This is going to put a heavy dent in what they're doing," says Barnhart. "But as we adapt, they adapt."