North Korean IT Workers Ran Secret Operations Inside U.S. Companies for Years

The United States Justice Department has revealed a sweeping set of criminal cases and civil forfeiture actions that expose how north korean it workers quietly infiltrated U.S. companies for years through elaborate identity fraud, remote access deception, and cryptocurrency laundering schemes. According to a newly published announcement from the Department of Justice, five individuals have pleaded guilty across several federal districts, and more than fifteen million dollars in virtual currency has been seized as part of a broader federal campaign to dismantle North Korea’s global revenue operations.

This multi-year investigation spans IT worker fraud, identity theft, remote employment abuse, laundering operations, and high-value cryptocurrency heists linked to APT38, a notorious North Korean military hacking unit. The findings offer one of the most detailed looks yet at how the DPRK generates offshore revenue by embedding operatives inside legitimate American companies and using U.S. infrastructure to fund its weapons programs.

The full Justice Department announcement is available on the Office of Public Affairs website through the official press release posted by the Department of Justice, which outlines the charges, guilty pleas, forfeiture actions, and broader national security context behind the operation.

How North Korean IT Workers Penetrated the U.S. Workforce

The underlying strategy relied on a network of American and foreign facilitators who assisted north korean it workers in bypassing company vetting systems. These schemes exploited the rise of remote work and the widespread use of cross-border contractors. The facilitators provided U.S. identities, forged documentation, and access to residential addresses to make it appear that DPRK workers were physically located in the United States. The schemes were far more sophisticated than typical employment fraud. They were organized, deliberate, and carefully designed to send stolen salaries, stolen data, and operational benefits directly back to the North Korean government.

Investigators found that facilitators across several U.S. states and Ukraine helped North Korean contractors gain employment at more than 136 American companies. They hosted laptops supplied by U.S. firms, installed remote access tools that allowed overseas workers to control the hardware, and circumvented employer security checks. Some even appeared for mandatory employer drug screenings on behalf of the foreign operatives, ensuring the façade remained intact.

These operations allowed the DPRK government to generate more than two million dollars in revenue directly from American businesses. The case files reveal a clear and coordinated effort by North Korean authorities to exploit U.S. infrastructure, steal wages, and harvest sensitive internal company data that could later be sold, extorted, or used for further cyber activity.

The Domestic Enabler Problem

One of the most troubling findings in the federal filings is the role of American citizens. Many of the defendants were not passive accomplices. They knowingly provided their own personal information to help hide the identities of DPRK workers. They also established false accounts, used alias communication channels, and provided documentation that enabled the foreign workers to move unnoticed through the U.S. hiring system.

According to the Department of Justice, the DPRK RevGen: Domestic Enabler Initiative is now targeting these U.S.-based participants as a national security priority. This initiative is designed to disrupt the revenue pathways that North Korea depends on to finance weapons development, ballistic missile programs, and other state priorities. As part of this operation, federal agencies have been tracking the wider pattern in which north korean it workers use stolen identities, forged credentials, and online labor platforms to present themselves as qualified, U.S.-based technology professionals.

The Department of Justice states that North Korean IT labor can generate hundreds of millions of dollars annually for the regime, and these workers are often tied to sanctioned military or intelligence agencies. Many maintain secret communications channels, exfiltrate corporate data, and route revenue through cryptocurrency platforms to avoid sanctions.

Breakdown of the Guilty Pleas Across U.S. Districts

Charges were filed and pleas were entered in three major federal districts: the Southern District of Georgia, the District of Columbia, and the Southern District of Florida. Each case provides unique insight into how north korean it workers obtained remote jobs and how facilitators monetized their role.

The Southern District of Georgia

Three U.S. nationals, ages 24 to 34, pleaded guilty to wire fraud conspiracy. These defendants assisted DPRK workers by providing U.S. identities, creating accounts for employment platforms, and hosting employer-issued laptops in their homes. They installed unauthorized remote access software so workers overseas could appear to be operating from U.S. soil.

The scheme generated 1.28 million dollars in fraudulent payroll, most of which was redirected abroad. One defendant, who was on active duty in the U.S. Army at the time, earned more than fifty thousand dollars for his participation. The other two earned several thousand each but enabled the system to operate at scale.

The District of Columbia

A Ukrainian identity broker pleaded guilty to wire fraud conspiracy and aggravated identity theft after stealing identities from multiple U.S. citizens and selling them to overseas contractors, including north korean it workers. His fraud helped foreign operatives secure jobs at forty companies spread across the United States. This defendant agreed to forfeit more than 1.4 million dollars in illicit earnings, including hundreds of thousands in cryptocurrency.

The federal investigation required cooperation across multiple FBI field offices and international partners. The defendant was arrested overseas and extradited to the United States after a coordinated operation with Polish authorities.

The Southern District of Florida

Another U.S. defendant pleaded guilty to wire fraud conspiracy for supplying fraudulent remote workers to companies while knowingly enabling overseas North Korean operatives using stolen identities. His company collected nearly ninety thousand dollars, while the scheme caused more than nine hundred thousand dollars in additional damages.

Two related individuals are still facing charges, including a Mexican national awaiting extradition and another U.S. national pending trial. Together, these defendants placed DPRK operatives at more than sixty American companies, allowing the workers to funnel earnings out of the country.

The Cryptocurrency Seizures and the APT38 Connection

The Justice Department also filed two civil forfeiture complaints seeking ownership of more than fifteen million dollars in stolen virtual currency. These funds were seized from DPRK actors tied to APT38, a military hacking unit known for its aggressive global intrusion campaigns. APT38 is widely believed to operate under the Lazarus umbrella, one of the most prolific state-sponsored cybercriminal groups in the world.

The currency was linked to four coordinated heists during 2023. These intrusions targeted virtual currency exchanges and payment processors in Estonia, Panama, and Seychelles. Over three hundred eighty million dollars was stolen across these four attacks. The fifteen million dollars already seized represents only a portion of the stolen total, and U.S. authorities have stated that efforts to trace and intercept additional funds are ongoing.

APT38 continues to launder funds across cryptocurrency bridges, mixers, decentralized protocols, over-the-counter brokers, and foreign exchanges. The United States has been tracking these laundering patterns for years, linking them to missile development projects, nuclear weapons funding, and other sanctioned government operations.

How North Korean IT Workers Use Remote Access to Evade Detection

The cases collectively reveal how intentional and structured these operations are. The reason these schemes remained undetected for so long is that north korean it workers did not infiltrate companies through hacking. Instead, they infiltrated through HR systems, payroll systems, and the trust companies extend to remote employees. Once hired, they used employer laptops to disguise their actual location, rerouted network connections, and passed routine security checks by relying on their American accomplices.

These workers often had extensive technical backgrounds, making them appealing to U.S. companies in need of software engineers, developers, cybersecurity analysts, or IT support staff. They performed legitimate tasks, but they also exfiltrated sensitive data, including source code, development environments, proprietary business intelligence, and internal documentation. In some cases, the Justice Department notes that these workers committed data extortion or exfiltrated sensitive information as leverage for further payment.

Because the schemes involved actual employment, the fraud was hidden beneath normal corporate activity. Salaries were paid regularly. Work was done. Performance metrics looked normal. The only anomaly was the geographic deception and the redirection of salary funds overseas.

Warnings from the FBI and National Security Community

The FBI and the Office of the Director of National Intelligence have issued several public advisories describing the methods used by north korean it workers, including warnings in 2024 and 2025 that detailed how these operatives steal identities, manipulate online labor platforms, and compromise employer systems. The FBI reports that DPRK IT workers can earn as much as three hundred thousand dollars annually and contribute hundreds of millions to sanctioned North Korean entities each year.

These operations involve social media, encrypted messaging, anonymized payment systems, and networks of brokers that help place DPRK workers into American companies without triggering background check alerts. The FBI states that companies must improve their vetting of remote staff and adopt stronger identity verification for remote access systems.

Implications for Corporate Security and the Future of Remote Hiring

The exposure of these schemes has far-reaching implications for corporate cybersecurity, HR policies, and remote work procedures. Because north korean it workers accessed sensitive systems through legitimate employee accounts, traditional perimeter defenses did not detect the problem. Companies must now consider the possibility that employees who appear fully vetted may not be who they claim to be, and that identity fraud can be part of state-sponsored operations.

Organizations are encouraged to implement stronger device security, enhanced identity verification, and stricter monitoring of remote access protocols. Employers should review logs for unusual behavior, location inconsistencies, or patterns that indicate devices are being controlled from outside the expected region.

This investigation also highlights how the intersection of remote work and global identity marketplaces can create national security risks that companies are not prepared for. The federal cases show that corporate hiring practices can be exploited as easily as technical vulnerabilities.

What This Means for Cybercrime and National Security

The Justice Department’s actions represent one of the most extensive federal responses to the DPRK’s overseas revenue operations. The guilty pleas, extraditions, and forfeiture actions signal that the United States is prioritizing the shutdown of the financial pipelines that fuel the regime’s weapons development. The APT38 seizures are particularly significant because they directly interfere with state-sponsored cyber operations responsible for some of the largest virtual currency thefts in history.

At the same time, these cases demonstrate the adaptability of North Korea’s cyber and IT workforce strategy. Despite sanctions and international pressure, the DPRK continues to evolve its methods, relying on identity theft, remote employment deception, cryptocurrency laundering, and global brokers who help operatives bypass restrictions.

The Justice Department and FBI have urged companies to remain vigilant, conduct more thorough vetting of remote applicants, and treat suspicious identity patterns as potential national security concerns rather than routine HR issues.

For more cybersecurity reporting and threat analysis, visit Botcrawl’s cybersecurity section. For investigation-focused coverage, explore our primary data breaches category.