Feds Crack Down on North Korean Spies Working Remote IT Jobs Through American ‘Laptop Farms’

The DOJ has busted 29 North Korean laptop farms across 16 states, alleging that illicit IT workers located in the communist dictatorship obtained employment with over 100 American companies to help fund the regime’s weapons programs.

The DOJ announced this week that it has conducted a series of actions targeting North Korean IT workers who have successfully infiltrated American companies. The operation included two indictments, an arrest, searches of 29 known or suspected “laptop farms” across 16 states, and the seizure of 29 financial accounts used for money laundering and 21 fraudulent websites.

The Justice Department revealed that certain U.S.-based individuals allegedly enabled one of the schemes by creating front companies and fraudulent websites to promote the credentials of the remote IT workers and hosted laptop farms where the North Korean operatives could remotely access computers provided by their victims. These laptop farms circumvent the suspicion that would arise from shipping a laptop outside the country for a supposedly U.S.-based worker.

International sanctions have made it nearly impossible for North Korea to fund its nuclear ambitions through legitimate means. As a result, the country has turned to alternative sources of income, such as stealing billions of dollars worth of cryptocurrency, conducting ransomware operations, and now, placing operatives in high-paying jobs at U.S. tech companies.

The State Department, Treasury Department, and FBI had previously warned in 2022 that North Korea had dispatched thousands of highly skilled IT workers worldwide, often misrepresenting themselves as foreign or U.S.-based teleworkers. These operatives use virtual private networks (VPNs), virtual private servers (VPSs), purchased third-country IP addresses, proxy accounts, and falsified or stolen identification documents to evade detection.

Despite the revelation of these funding operations, North Korea has not been discouraged. In fact, Google Cloud reported in March that the threat has evolved, with North Korean IT workers expanding their reach beyond the U.S., particularly focusing on Europe. They have also intensified extortion campaigns against employers and moved to conduct operations in corporate virtual desktops, networks, and servers.

Shutting down these operations can help protect companies from North Korean operatives who plan to use their access to private resources to steal intellectual property, provide information for more overt cybercrime, and steal cryptocurrency. In one case, an undercover worker stole virtual currency worth over $900,000 from an Atlanta-based company.

Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship.