The North Korean government, struggling under the weight of international sanctions, has for years seeded companies in the United States and elsewhere with remote tech workers camouflaged by false and stolen identifies to generate desperately needed revenue, federal prosecutors say.
Taking advantage of the global demand for skilled tech employees and the rise in remote employment, the North Korean regime has found a way to work around United Nations and United States sanctions imposed on it for its nuclear weapons program, the prosecutors said in two indictments unsealed in federal district courts in Massachusetts and Georgia. It has also used the access to steal both money and information, they said.
“Thousands of North Korean cyber-operatives have been trained and deployed by the regime to blend into the global digital work force,” Leah Foley, the chief federal prosecutor in Massachusetts, said in announcing the charges on Monday. She called the threat “both real and immediate.”
On Monday, federal law enforcement authorities took a series of actions across 16 states aimed at shutting down the scheme. Investigators seized dozens of financial accounts and fraudulent websites and searched “laptop farms” that allowed North Korean operatives to gain access to the computers that companies provide their off-site employees, prosecutors said.
In recent years, North Korean attempts to evade sanctions using false identities have been increasingly been raising alarm. There is evidence that the operation has expanded geographically, targeting Europe in particular, according to a report from the Google Threat Intelligence Group in April.
Last year, the Justice Department and the F.B.I. launched an initiative to identify people in the United States believed to be helping North Koreans advance the plots, some of them without their knowledge.
In one of the cases brought by federal prosecutors this week, American, Chinese and Taiwanese citizens were accused of involvement in a plot that compromised about 80 American identities. The falsified identities were used to help North Koreans get remote tech jobs with over 100 companies across dozens of states in a range of industries between 2021 and 2024.
Prosecutors say the scheme generated about $5 million for North Korea, and cost American business some $3 million in damages and expenses. It also exposed sensitive information, including some related to military technology, they said.
The defendants are said to have used online background check services to cull personal information and create personas for the North Koreans so that they appeared authorized to work in the United States. They conducted records checks of hundreds of individuals, including dozens whose identities were stolen, prosecutors said.
To bolster the falsified identities, participants in the scheme created fake companies, websites and bank accounts and arranged to receive the company laptops delivered to the remote workers in the United States, prosecutors said. Then, the authorities said, they granted remote access to the laptops to North Korean operatives working abroad. .
The second case unsealed this week, in the Northern District of Georgia, charges four North Koreans with theft and money laundering involving about $900,000 in cryptocurrency. The remote workers used false identities from Malaysia to perpetrate the scheme and worked out of the United Arab Emirates, prosecutors say.
The defendants sought jobs in the crypto industry, according to the indictment. One was hired as a developer at an Atlanta-based company, and another worked for a Serbian firm. Together they diverted nearly $1 million in crypto from their employers, and their accused co-conspirators laundered the funds,, according to the indictment.
The American authorities have been raising alarms about the problem since at least 2022, when the F.B.I., along with the State and Treasury Departments, issued an advisory warning to the international community about infiltration. Operatives working mostly in North Korea, China and Russia were relying on an expansive network abroad to get jobs, targeting Europe and East Asia, the advisory said.
After the American warning, North Korean workers increasingly began seeking contracts elsewhere, according to an April report from a lead adviser to the Google Threat Intelligence Group in Europe, James Collier.
One North Korean worker ran at least 12 personas across Europe and the United States in late 2024, seeking jobs at defense companies and in governments, using fabricated references , the report says. There is also evidence of operatives and assistants working in Portugal, Germany and Britain.
“In response to heightened awareness of the threat within the United States, they’ve established a global ecosystem of fraudulent personas to enhance operational agility,” Mr. Collier said. That evolution, he said, suggests they will continue being able to run the financing schemes.