Two U.S. nationals were sentenced to 18 months in prison for running laptop farms that facilitated North Korea’s expansive remote IT workers scheme, the Justice Department said Wednesday.

Matthew Issac Knoot and Erick Ntekereze Prince both received and hosted laptops at their residences to dupe U.S. companies into thinking remote IT workers they hired were located in the country. The pair’s separate schemes impacted almost 70 U.S. companies and generated a combined $1.2 million in revenue for the North Korean regime.

“The FBI and our partners will continue to disrupt North Korea’s ability to circumvent sanctions and fund its totalitarian regime,” Brett Leatherman, lead of the FBI’s Cyber Division, said in a statement. “These cases should leave no doubt that Americans who choose to facilitate these schemes will be identified and held accountable. Hosting laptops for DPRK IT workers is a federal crime which directly impacts our national security, and these sentences should serve as a warning to anyone considering it.”

Knoot, of Nashville, Tennessee, and Prince, of New York, received the laptops from unsuspecting U.S. companies and installed remote desktop applications on the machines to enable co-conspirators to work from anywhere while appearing to be based at their respective residences.

Prince’s company Taggcar was contracted to supply IT workers to victim U.S. companies from June 2020 through August 2024. He pleaded guilty in November 2025 to wire fraud conspiracy for his yearslong involvement in the North Korean IT worker scheme. 

Prince was indicted and charged in January 2025 along with his alleged co-conspirators, who collectively obtained work for North Korean IT workers at 64 U.S. companies, earning nearly $950,000 in salary payments. 

A federal judge sentenced Prince Wednesday and ordered him to forfeit $89,000, which is the amount he netted personally. 

Knoot was arrested in August 2024, a year after the FBI searched his home. Officials said he made multiple false and misleading statements and destroyed evidence to obstruct the investigation at that time. 

Victim companies paid North Korean workers linked to Knoot’s laptop farm more than $250,000 from July 2022 to August 2023. The remote IT workers transferred those funds to Knoot and accounts associated with North Korean and Chinese nationals, officials said. 

Knoot was sentenced May 1 and ordered to pay $15,100 in restitution to the victim companies and forfeit an additional $15,100, which is equivalent to the amount of his direct take from the scheme.

The pair of North Korean operatives join a growing list of people who have been charged and jailed for supporting the regime’s scheme that generates hundreds of millions of dollars annually for the country’s military and organizations involved in its weapons programs.

Authorities have been cracking down on the malicious insider activity by seizing cryptocurrency linked to the theft, and targeting U.S.-based facilitators who provided forged or stolen identities and hosted laptop farms for North Korean operatives. 

The countermeasures are stacking up, but the scheme is widespread and has infiltrated an undetermined number of businesses, including hundreds of Fortune 500 companies.

Federal judges previously sentenced other people to prison for their involvement in the scheme, including Keija Wang and Zhenxing Wang; Audricus Phagnasay, Jason Salazar and Alexander Paul Travis; Oleksandr Didenko and Christina Chapman. 

“These sentences hold accountable U.S nationals who enabled North Korea’s illicit efforts to infiltrate U.S. networks and profit on the back of U.S. companies,” John A. Eisenberg, assistant attorney general for national security, said in a statement. 

“These defendants helped North Korean ‘IT workers’ masquerade as legitimate employees, compromising U.S. corporate networks and helping generate revenue for a heavily sanctioned and rogue regime,” he added. “The National Security Division will continue to pursue those who, through deception and cyber-enabled fraud, threaten our national security.”

The post American duo sentenced for hosting laptop farms for North Korean IT workers appeared first on CyberScoop.

Two New Jersey men were sentenced Wednesday for facilitating North Korea’s long-running scheme to plant operatives inside U.S. businesses as employees, generating more than $5 million in illicit revenue for the regime, the Justice Department said. 

The U.S. nationals — Kejia Wang, also known as Tony Wang, and Zhenxing Wang, also known as Danny Wang — were part of a years-long conspiracy that placed operatives in jobs at more than 100 U.S. companies, including many Fortune 500 companies, based in 27 states and the District of Columbia.

The elaborate scheme involved shell companies posing as software development firms, money laundering, and espionage with national security implications. Operatives involved in the conspiracy stole sensitive files from a California-based defense contractor related to U.S. military technology controlled under International Traffic in Arms Regulations (ITAR), officials said.

“Democratic People’s Republic of Korea (DPRK) IT workers are not limited to revenue generation. When tasked, they can operationalize their placement and access to support strategic intelligence requirements, including intellectual property theft, network disruption or extortion,” Michael Barnhart, nation state investigator at DTEX, told CyberScoop.

While most of North Korea’s scheme is focused on revenue, it sometimes applies a dual-use approach, tasking certain privileged IT workers with malicious activity aiding other state-backed hacking groups, Barnhart added.

“Not all IT workers can be hackers but every North Korean hacker can or has been an IT worker,” he said. “This distinction matters for insider‑threat analysis because unlike typical fraudulent hires motivated by personal financial gain, IT workers can inflict national‑security‑level damage.”

Kejia Wang, 42, Zhenzing Wang, 39, and their co-conspirators stole the identities of at least 80 U.S. residents to facilitate the hiring of North Korean operatives and collected at least $696,000 in fees combined, officials said. U.S. victim companies also incurred legal fees, remediation costs and other damages and losses exceeding $3 million. 

Both men previously pleaded guilty to an assortment of crimes. Kejia Wang was sentenced to nine years in prison for conspiracy to commit wire and mail fraud, money laundering and identity theft. Zhenxing Wang was sentenced to 92 months in prison for conspiracy to commit wire and mail fraud and money laundering. 

The pair were also ordered to forfeit a combined $600,000, of which two-thirds has already been paid, officials said.

The conspiracy, which ran from at least 2021 through October 2024, relied in part on shell companies — Hopana Tech, Tony WKJ and Independent Lab — the men set up to create the appearance of legitimate businesses. 

“Pairing a U.S. person, a U.S. address, and a front company such as Independent Lab, the facilitators created the illusion of a legitimate domestic effort allowing the IT workers to present themselves as U.S.-based without triggering suspicion during onboarding or daily workflows,” Barnhart said. 

“Front companies can act as that middle financial flow from victim companies back to DPRK units, which then pushes funds upward through the Workers’ Party of Korea to support whichever program the unit was aligned with, whether weapons development or domestic priorities,” he added. 

These front companies reflect a higher level of tradecraft that exploits a weak spot in insider risk assessments because threats aren’t always a malicious person trying to break into a network, Barnhart said. “Sometimes it looks like an entire company appearing clean on paper.”

Authorities have responded to North Korea’s scheme by targeting U.S.-based facilitators who provide forged or stolen identities and laptop farms for North Korean operatives, and seizing cryptocurrency linked to theft. 

Law enforcement wins are stacking up, but researchers warn that North Korea’s operation is massive and consistently evolving. 

The sentencing of Kejia Wang and Zhenxing Wang comes less than a month after a trio of American men were sentenced for similar crimes, including the operation of laptop farms, wire fraud and identity theft. 

The Justice and Treasury Departments have also issued indictments and sanctioned people and entities allegedly involved in North Korea’s effort to send thousands of specialized technical professionals outside of the country to secure jobs under false pretenses and funnel their wages back to Pyongyang.

You can read the full indictments against Kejia Wang and Zhenxing Wang below.

The post US nationals sentenced for aiding North Korea’s tech worker scheme appeared first on CyberScoop.

Three American men were sentenced Friday for crimes they committed in furtherance of North Korea’s vast scheme to get operatives hired at U.S. companies, the Justice Department said.

The trio — Audricus Phagnasay, 25, Jason Salazar, 30, and Alexander Paul Travis, 35 — pleaded guilty in November to wire fraud conspiracy for providing U.S. identities to remote North Korean IT workers.

They hosted U.S. company-provided laptops at their homes and installed remote-access software so North Korean operatives could appear to be working in the country. The group also helped remote IT workers pass employer vetting and, in the case of Travis and Salazar, took drug tests on behalf of the North Koreans, prosecutors said.

Travis, an active-duty member of the U.S. Army at the time, received about $51,000 from the scheme. He was sentenced to one year in prison and ordered to forfeit about $193,000.

Phagnasay and Salazar each pocketed about $3,500 and $4,500, respectively, and were both sentenced to three years of probation and a $2,000 fine.  A federal court ordered Salazar to forfeit about $410,000 and ordered Phagnasay to forfeit nearly $682,000.

“These men practically gave the keys to the online kingdom to likely North Korean overseas technology workers seeking to raise illicit revenue for the North Korean government — all in return for what to them seemed like easy money,” Margaret Heap, U.S. attorney for the Southern District of Georgia, said in a statement. 

“These schemes present a significant challenge to our national security, and we applaud our investigative partners working to secure our digital borders,” Heap added.

The trio facilitated about $1.28 million in salary from victim U.S. companies from September 2019 through November 2022. Yet, the financial cuts for their assistance was relatively low.

Officials’ countermeasures to these schemes, which ultimately launder ill-gotten money to North Korea’s government, involve the targeting of U.S.-based facilitators who provide forged or stolen identities and laptop farms for North Korean operatives, and the seizure of cryptocurrency linked to theft. 

Law enforcement wins on both fronts are stacking up, but researchers warn that North Korea’s operation is massive in scale and consistently evolving.

Microsoft Threat Intelligence earlier this month warned that North Korean threat groups are using artificial intelligence tools to accelerate and expand the country’s scheme – automating and improving efforts across the attack lifecycle.

The post Trio sentenced for facilitating North Korean IT worker scheme from their homes appeared first on CyberScoop.

North Korean threat groups are using artificial intelligence tools to accelerate and expand the country’s long-running scheme to get remote technical workers hired at global companies for longer durations, Microsoft Threat Intelligence said in a report Friday. 

AI services are empowering North Korean operatives across the attack lifecycle. Attackers have turned AI into a “force multiplier” that bolsters and automates their efforts to conduct research on targets, develop malicious resources, achieve and maintain access, evade detection, and weaponize tools for attacks and post-compromise activities, researchers said.

Microsoft said a trio of groups it tracks as Coral Sleet, Sapphire Sleet and Jasper Sleet are using AI to shorten the time it takes to create digital personas for specific job markets and roles. These groups frequently leverage financial opportunities or interview-themed lures to gain initial access.

Jasper Sleet is using generative AI tools to research job postings on platforms such as Upwork, and identify in-demand skills or experience requirements to align fake personas with targeted roles, Microsoft said in the report.

Researchers warned that threat groups are also “significantly improving the scale and sophistication of their social engineering and initial access operations” with AI-driven media creation for impersonations and real-time voice modulation. 

North Korean threat groups have used AI services to generate lures that mimic internal communications in multiple languages with native fluency. 

“These technologies enable threat actors to craft highly tailored, convincing lures and personas at unprecedented speed and volume, which lowers the barrier for complex attacks to take place and increases the likelihood of successful compromise,” researchers wrote in the report. 

Microsoft has observed Jasper Sleet using the AI application Faceswap to insert North Korean IT workers’ faces into stolen identity documents, in some cases reusing the same AI-generated photo across multiple personas.

Jasper Sleet is also leaning on AI-enabled communications after an operative is successfully hired by a victim organization to evade detection and sustain long-term employment. Microsoft has observed North Korean remote IT workers prompting AI tools to craft professional responses, answer technical questions or generate snippets of code to meet performance expectations in unfamiliar environments.

North Korean threat groups are using AI to refine previously observed post-compromise activities, reducing the time and expertise required for decision-making, Microsoft said. These AI-powered tasks accelerate analysis of unfamiliar compromised environments, identify viable paths for lateral movement and enable operatives to blend in with legitimate activity. 

North Korean threat groups are also using AI to escalate privileges, locate and steal sensitive records or credentials, and minimize risk of detection by analyzing security controls.

Generative AI composes most threat activity involving AI, but Microsoft said a transition to agentic AI is underway. 

“For threat actors, this shift could represent a meaningful change in tradecraft by enabling semi‑autonomous workflows that continuously refine phishing campaigns, test and adapt infrastructure, maintain persistence, or monitor open‑source intelligence for new opportunities,” researchers wrote in the report. 

“Microsoft has not yet observed large-scale use of agentic AI by threat actors, largely due to ongoing reliability and operational constraints,” researchers added. Yet, Microsoft warned, experiments illustrate the potential agentic AI systems pose for more advanced and damaging activity.

The post Microsoft warns North Korean threat groups are scaling up fake worker schemes with generative AI appeared first on CyberScoop.

A Ukrainian national who ran multiple operations to aid the North Korean government’s expansive scheme to  hire remote IT workers at U.S. companies was sentenced to five years in prison, the Justice Department said Thursday.

Oleksandr Didenko stole U.S. citizens’ identities and created more than 2,500 fraudulent accounts on freelance IT job forums, money service transmitters, email services, and social media platforms to sell the proxy identities to North Korean workers. The 29-year-old pleaded guilty to multiple crimes related to the six-year scheme in November 2025.

Didenko ran a site, upworksell.com, to sell the stolen identities and paid co-conspirators to receive and host laptop farms in Virginia, Tennessee and California, according to court records. He managed up to 871 identities through the laptop farms and helped North Korean technical workers gain employment at 40 U.S. companies. 

Didenko funneled money from Americans and U.S. businesses into the coffers of North Korea’s hostile regime, Jeanine Pirro, U.S. attorney for the District of Columbia, said in a statement. 

“Today, North Korea is not only a threat to the homeland from afar, it is an enemy within. By using stolen and fraudulent identities, North Korean actors are infiltrating American companies, stealing information, licensing, and data that is harmful to any business,” she added. 

Officials said Didenko’s North Korean clients were paid hundreds of thousands of dollars for their work, much of which was falsely reported in the names of U.S. citizens whose identities were stolen.

“Money paid to these so-called employees goes directly to munitions programs in North Korea,” Pirro said. “This is not just a financial crime; it is a crime against national security.” 

In late 2023, following a request from one of his customers, Didenko sent a computer to a laptop farm run by Christina Chapman in Arizona, officials said. Chapman was arrested in May 2024 and sentenced to 102 months in prison for participating in the scheme.

Didenko’s site was seized following Chapman’s arrest. He was arrested by Polish police in late 2024, and later extradited to the United States. 

Didenko pleaded guilty to wire fraud conspiracy and aggravated identity theft, and agreed to forfeit more than $1.4 million as part of his sentencing. He was also ordered to pay almost $47,000 in restitution.

U.S. law enforcement has racked up some wins by seizing stolen cryptocurrency and targeting U.S.-based facilitators who provide forged or stolen identities for North Korean operatives. 

Yet, the regime’s scheme runs deep. North Korean nationals have infiltrated many top global companies, and researchers continue to uncover evidence of new tactics and techniques operatives have used to evade detection.

You can read the full indictment below.

The post Ukrainian sentenced to 5 years in prison for facilitating North Korean remote worker scheme appeared first on CyberScoop.

The Justice Department notched a few more wins in the fight against North Korean cryptocurrency heists and the regime’s expansive scheme to get remote IT workers hired at U.S. businesses. 

Officials’ countermeasures to these schemes, which ultimately launder ill-gotten money to North Korea’s government, involve the targeting of U.S.-based facilitators who provide forged or stolen identities and laptop farms for North Korean operatives, and the seizure of cryptocurrency linked to theft. Law enforcement wins on both fronts are stacking up.

Oleksandr Didenko, a 28-year-old Ukrainian national, pleaded guilty to wire fraud conspiracy and aggravated identity theft in the U.S. District Court for the District of Columbia Monday for stealing the identities of U.S. citizens and selling them to overseas IT workers. His years-long scheme helped North Korean IT workers gain employment at 40 U.S. companies, officials said. 

Didenko ran a site, upworksell.com, to sell stolen identities and paid co-conspirators to receive and host laptop farms in Virginia, Tennessee and California, according to court records. Didenko managed up to 871 identities through the laptop farms and collaborated with other co-conspirators in the United States.

In late 2023, following a request from one of his customers, Didenko sent a computer to a laptop farm run by Christina Chapman in Arizona, officials said. Chapman was arrested in May 2024 and sentenced to 102 months in prison for participating in the scheme.

Didenko’s site was seized following Chapman’s arrest. In late 2024, he was arrested by Polish police later extradited to the United States. Didenko agreed to forfeit more than $1.4 million, and his sentencing is scheduled for Feb. 19, 2026.

Justice Department officials applauded other recent court case wins, demonstrating the arduous work required to find and punish those who facilitate the North Korean remote IT worker scheme.

Three U.S. nationals — Audricus Phagnasay, 24, Jason Salazar, 30, and Alexander Paul Travis, 34 — each pleaded guilty to wire fraud conspiracy in the U.S. District Court for the Southern District of Georgia Thursday for providing U.S. identities to remote North Korean IT workers. 

The trio hosted U.S. company-provided laptops at their homes and installed remote-access software so the North Korean operatives could appear to be working in the country. The group also helped remote IT workers pass employer vetting and, in the case of Travis and Salazar, took drug tests on behalf of the North Koreans, officials said.

The scheme supported by the three men facilitated about $1.28 million in salary from victim U.S. companies from September 2019 through November 2022. Yet, the financial cuts for their assistance was relatively low. Travis, an active-duty member of the U.S. Army at the time, received about $51,000 while Phagasay and Salazar each pocketed about $3,500 and $4,500, respectively.

Last week, another U.S. national, 30-year-old Erick Ntekereze Prince, pleaded guilty to wire fraud conspiracy in the U.S. District Court for the Southern District of Florida for his yearslong involvement in the North Korean IT worker scheme. Prince’s company Taggcar was contracted to supply IT workers to victim U.S. companies from June 2020 through August 2024.

Officials said Prince earned more than $89,000 from the scheme, which also involved hosting company-provided laptops at Florida residences and installing remote-access software. Prince was indicted and charged in January along with his alleged co-conspirators, who collectively obtained work for North Korean IT workers at 64 U.S. companies, earning nearly $950,000 in salary payments.

The five people who pleaded guilty during the past week impacted more than 136 U.S. victim companies, officials said. Their crimes generated more than $2.2 million for North Korea’s regime and compromised the identities of at least 18 U.S. residents. 

“These actions demonstrate the department’s comprehensive approach to disrupting North Korean efforts to finance their weapons program on the backs of Americans,” John A. Eisenberg, assistant attorney general for national security, said in a statement. “The department will use every available tool to protect our nation from this regime’s depredations.”

Finally, the Justice Department said it seized more than $15 million in cryptocurrency from APT38, a nation-state hacking group with ties to North Korea. Officials said the seized funds were traced to four separate virtual currency heists in 2023.

The post DOJ lauds series of gains against North Korean IT worker scheme, crypto thefts appeared first on CyberScoop.

The Treasury Department on Tuesday sanctioned eight people and two companies it accused of laundering money obtained from cybercrime and IT worker schemes to fund North Korean government objectives.

According to the department, over the last three years North Korea-linked cybercriminals have stolen over $3 billion, mostly in cryptocurrency. In addition, it said, North Korean IT workers are netting hundreds of millions from schemes by faking their identities. It’s all in service of goals that endanger the security of the world, Treasury said.

The bank, IT company and financial institution personnel that the Office of Foreign Assets Control placed on the sanctions list Tuesday add to an ever-growing list this calendar year of parties the United States associates with North Korean cyber activity.

“North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program,” said John Hurley, Treasury undersecretary for terrorism and financial intelligence. “By generating revenue for Pyongyang’s weapons development, these actors directly threaten U.S. and global security.”

The department designated Jang Kuk Chol and Ho Jong Son, two North Korean bankers; Korea Mangyongdae Computer Technology Company, an IT company; U Yong Su, president of that firm; and Ryujong Credit Bank, a North Korea-based financial institution. It also designated five people who work for North Korean financial institutions: Ho Yong Chol, Han Hong Gil, Jong Sung Hyok, Choe Chun Pom and Ri Jin Hyok.

The two bankers stand accused of managing cryptocurrency funds on behalf of a previously designated entity, First Credit Bank. The IT firm allegedly operates IT worker delegations from at least two cities in China. Treasury said Ryujong Credit Bank aids in avoiding sanctions between China and North Korea. The five employees are China or Russia-based North Korean representatives of the financial institutions who have allegedly facilitated illicit transactions.

Last month, a group of countries including the United States and allies in Europe and Asia published its latest report on North Korea’s evasions and violations of United Nations Security Council resolutions, this time focused on Pyongyang’s cyber and IT operations.

“The Democratic People’s Republic of Korea (DPRK or North Korea) is systematically engaged in violations of United Nations Security Council resolutions (UNSCRs) and related evasion activities through its Information Technology (IT) worker deployments and cyber operations, particularly as related to cryptocurrency theft and cryptocurrency laundering activities,” the report states. ”The DPRK’s cyber force is a full-spectrum, national program operating at a sophistication approaching the cyber programs of China and Russia.”

The post North Korean companies, people sanctioned for money laundering from cybercrime, IT worker schemes appeared first on CyberScoop.