US nationals behind DPRK IT worker 'laptop farm' sent to prison

US Nationals Behind DPRK IT Worker Laptop Farm Sent to Prison

1) Overview

• Two U.S. nationals, Kejia Wang (42) and Zhenxing Wang (39), were sentenced after being linked to a North Korean remote IT worker operation described as a laptop farm that recruited workers posing as Americans.
• The defendants were charged in June 2025 as part of a DoJ-led action against the DPRK government’s fundraising efforts.
• Court records show that, between 2021 and October 2024, the scheme generated more than $5 million in illicit revenue for the DPRK and caused about $3 million in financial damages to U.S. companies that unknowingly employed North Korean workers using stolen identities of more than 80 Americans.
• The operation involved creating fraudulent financial accounts, fake websites, and multiple shell companies to make DPRK-linked workers appear affiliated with legitimate U.S. businesses.

2) How the Scheme Operated

• The core ploy relied on North Korean IT workers obtaining U.S. jobs by impersonating U.S. residents, typically through stolen identities.
• The operation used shell entities such as Tony WKJ LLC, Hopana Tech LLC, and Independent Lab LLC to send payments back to DPRK-associated actors.
• Zhenxing Wang coordinated the logistics by hosting company-issued laptops in homes across the United States, enabling remote access to corporate networks without drawing suspicion.
• The scammers deployed fake credentials, including forged drivers’ licenses and Social Security cards, to further legitimize their workers’ status with American employers.

3) Timeline of Key Events

• 2021–October 2024: The DPRK-linked lattice of schemes generated over $5 million in illicit revenue and caused roughly $3 million in damages to U.S. companies.
• June 2025: Nine co-conspirators and related entities were charged in connection with the broader operation and remained at large at that time.
• September 2025: Kejia Wang pleaded guilty and was sentenced to 108 months in prison for roles tied to the scheme.
• January 2026: Zhenxing Wang pleaded guilty and was sentenced to 92 months in prison for conspiracy to commit money laundering and wire fraud.
• February 2026: Ukrainian national Oleksandr Didenko, who admitted guilt earlier in 2025 to wire fraud conspiracy and aggravated identity theft, received a five-year prison term for providing stolen identities used to infiltrate U.S. firms.

4) Key Individuals and Roles

• Kejia Wang: Pleaded guilty and received a lengthy prison term for her involvement in enabling DPRK IT workers to infiltrate and work for U.S. companies.
• Zhenxing Wang: Pleaded guilty to money laundering and wire fraud conspiracies; sentenced to a multi-year term.
• Other defendants: Nine additional individuals connected to the same network were charged in 2025 and remained at large at the time of the related proceedings.
• Oleksandr Didenko: An additional co-conspirator later sentenced to five years for aiding DPRK workers with stolen identities.

5) Financial and Corporate Facades

• The operation relied on creating and maintaining fictitious entities and bank accounts to route funds and payments back to DPRK state actors.
• Fake corporate websites and business registrations helped give the appearance of legitimate business activity and worker legitimacy.
• The use of stolen identities (including driver’s licenses and Social Security cards) enabled the North Korean workers to secure employment with hundreds of U.S. companies.

6) National Security and Policy Context

• U.S. law enforcement has emphasized that North Korea maintains a substantial, clandestine IT workforce intended to generate revenue and support its weapons programs.
• The operation demonstrated how illicit IT labor can exploit legitimate U.S. corporate networks and payroll systems, highlighting vulnerabilities in employment screening, remote access controls, and identity verification.

7) Official Warnings and Enforcement Messaging

• Federal officials have long warned that DPRK actors impersonate U.S.-based IT staff to infiltrate private sector networks, with policy and enforcement efforts aimed at disrupting these operations.
• Public statements from national security leadership stressed that workers operating under stolen identities can disrupt corporate operations and threaten national security.

8) Rewards, Prosecutions, and Ongoing Work

• The State Department has publicly offered a reward (up to $5 million) for information related to specific DPRK illicit activities linked to money laundering and IT worker schemes, underscoring the ongoing international effort to disrupt these operations.
• While several co-conspirators have been identified and charged, a number of individuals remain at large, indicating continued investigations and the potential for further actions.

9) Related Coverage and Context

• The case sits alongside other reporting on DPRK-linked cyber and financial operations that cross international borders and involve complex money flows, identity fraud, and cross-border enforcement actions.
• Related topics include the broader network of individuals and entities that have been implicated or charged in similar schemes, and the ongoing efforts to bolster defenses against remote workers who may be misappropriating identities.

10) Closing Context

• The sequence of sentencing and enforcement actions reflects a sustained U.S. government focus on disrupting illicit activity linked to North Korea’s information technology operations.
• The combination of fake identities, shell companies, and dispersed device hosting illustrates how modern cyber-enabled fraud can leverage legitimate business processes to enable state-backed activities.