DOJ Sentences Two US Citizens to 16 Years for Running North Korean IT Worker Laptop Farms
The US Department of Justice has sentenced two individuals from New Jersey to a combined 16 years in prison for operating laptop farms that facilitated a North Korean IT worker scheme. The defendants pleaded guilty to conspiracy to commit wire fraud. Their operation maintained physical infrastructure — laptops configured to appear as if operated by US-based workers — that allowed North Korean IT operatives to pose as American remote employees at US companies, earning salaries that were then funneled back to North Korea in violation of international sanctions.
How the Scheme Worked
North Korean IT workers — often highly skilled software developers — apply for remote positions at US companies using falsified identities and credentials. Once hired, the work is performed remotely, but to appear credible, the scheme requires a US-based physical presence. Laptop farms solve this: hardware registered to US addresses, operated to show US IP addresses and time zones, that routes the actual work performed by workers in North Korea or China. The New Jersey defendants maintained this infrastructure, handled logistics of the physical devices, and laundered the earnings. Similar operations have been uncovered in multiple US states.
The Scale of the North Korean IT Worker Problem
The DOJ and FBI have issued multiple public warnings about North Korean IT worker infiltration of US tech companies. The scheme is systematic, not opportunistic: North Korea operates training programs that produce software developers specifically for overseas deployment. The earnings — estimated at hundreds of millions of dollars annually — are used to fund North Korea's weapons programs, making the remote work scheme a sanctions evasion mechanism at scale. The Mercor security breach disclosed earlier this year, which involved suspected North Korean infiltrators, is a related manifestation of the same problem.
Detection and Prevention
The difficulty of detecting North Korean IT workers has driven new approaches to remote hiring verification. Companies increasingly require live video identity verification, hardware attestation (verifying that the device used is physically where it claims to be), and behavioral analysis of work patterns that might indicate time zone inconsistencies. The DOJ has pushed companies to implement stricter onboarding verification, particularly for fully remote technical roles. The 16-year sentence is designed partly as deterrence for US-based facilitators who may view the risk-reward as favorable.
The Broader Sanctions Evasion Context
North Korea's IT worker scheme is one component of a broader effort to generate hard currency in violation of international sanctions. Cryptocurrency theft — including the $270M Drift Protocol exploit linked to North Korean actors — is another major revenue source. The combination of sophisticated cyber operations and human infiltration of legitimate employment markets makes North Korea's sanctions evasion program one of the most operationally complex among sanctioned states.
The Bottom Line
The 16-year sentences represent a significant escalation in DOJ enforcement against North Korean IT worker facilitators. Targeting the US-based infrastructure enablers — rather than the North Korean operatives themselves, who are beyond US jurisdiction — is the most actionable enforcement strategy available. The sentences signal that operating laptop farm infrastructure carries serious criminal exposure, even for facilitators who may have viewed themselves as peripheral to the scheme.
Related Articles
- Former Mercor Staffers Expose Security Breach and Suspected North Korean Infiltration
- Cyberscammers Bypassing Bank KYC Facial Scans
- NIST Narrows Vulnerability Database to Actively Exploited CVEs