![](\"https:\/\/fortune.com\/img-assets\/wp-content\/uploads\/2026\/04\/GettyImages-1152948850-2-e1777065608326.jpg?w=2048\")
<\/p>\n<\/p>\n
This month, a federal judge in Massachusetts sentenced Kejia \u201cTony\u201d Wang, a 42-year-old husband and father from New Jersey, to nine years in prison for spearheading what prosecutors described as an international fraud operation that placed North Korean IT workers in tech jobs at more than 100 American companies\u2014including Fortune 500 firms.<\/p>\n
Over the course of three years, Wang\u2019s network stole the identities of more than 80 Americans, forged fake social security cards and California driver\u2019s licenses with photos of the North Korean operatives, filed false employment forms with the Department of Homeland Security, and doctored tax documents that went to the IRS and Social Security Administration. The scheme, in which the North Koreans got hired using Americans\u2019 stolen identities, generated more than $5 million in salary payments from the victim companies. The subsequent fallout once it was uncovered caused at least $3 million in legal fees and computer clean-up costs at businesses in 28 states and the District of Columbia, court records show. Another participant in the scheme, Zhenxing Wang, 39\u2014no relation to Kejia Wang, but a friend since both men arrived from China nearly 20 years ago\u2014was sentenced to nearly eight years in prison. The court ordered both to forfeit $600,000, collectively, that they were paid from their part in the fraud.<\/p>\n
The Wang prison terms bring the number of Americans convicted for aiding North Korean leader Kim Jong Un\u2019s government to at least seven since last year. The group includes a former active-duty U.S. Army soldier, an Arizona woman, a nail technician from Maryland, and two men from California. All earned thousands of dollars for helping North Koreans collect millions in salary for doing remote IT jobs. The wave of sentencing began in 2025 with a guilty plea by Christina Chapman, a 51-year-old woman who cared for 90 laptops in her home while helping her North Korean handlers get jobs at 309 companies, raking in $17.1 million. The salaries are diverted to Kim\u2019s government to pay for nuclear weapons development, officials say.\u00a0<\/p>\n
\u201cNorth Korea turns around and uses the money it steals through these operations to fund the unlawful development of weapons of mass destruction\u2014nuclear bombs, for example, and ballistic missiles with which to target the United States and our allies,\u201d Jonathan Fritz, principal deputy assistant secretary of state for East Asia Pacific affairs, said at a UN committee meeting on the North Korean fraud scheme in January.<\/p>\n
The recent spate of prison terms is meant to be a deterrent to curious Americans who see participating in the scheme as a get-money-quick option, but investigators say this is only the tip of the iceberg when it comes to the U.S. muscle undergirding the fraud scheme. Some American facilitators are sophisticated, some are naive, and others walked away from the scheme years ago. However, involvement in this fraud isn\u2019t casual. American identities are still circulating through the North Korean fraud apparatus after they\u2019ve completely moved on with their lives, investigators say.<\/p>\n
The scheme relies on two types of American identities. In the Wang case, they were harvested from background-check databases and attached to forged documents without the real Americans\u2019 knowledge. In others, identities are willingly rented by participants who might go even further by showing up for interviews, accepting laptops, giving urine samples or blood for drug tests, or sitting in offices pretending to work. They take a cut of the salary in exchange for providing cover to the North Korean operators so they can pass as American IT workers. In practice, investigators say, the two categories blur. Some facilitators are unwitting victims while others claim identity theft after the fact. To the North Korean IT workers, both are interchangeable.\u00a0<\/p>\n
The North Korean IT worker scheme, in which operatives get remote tech jobs at U.S. and European companies, is an important part of a broad campaign of malfeasance by the Democratic People\u2019s Republic of Korea (DPRK) that has generated about $2.8 billion in the past two years to help fund the country\u2019s nuclear weapon ambitions, according to the UN\u2019s Multilateral Sanctions Monitoring Committee. The committee, which tracks DPRK sanctions violations and evasion tactics, revealed in January that the scheme has now victimized 40 countries around the globe. A large portion of that total is the result of crypto theft, but the IT worker scheme reliably generates $250 million to $600 million per year in fraudulent salaries, the UN has found.\u00a0<\/p>\n
\u201cNorth Koreans are taking American jobs, and they\u2019re stealing cryptocurrency from American owners of said cryptocurrency,\u201d said Fritz. \u201cA North Korean IT worker can live in Laos, steal the identity of a Ukrainian online, and then use that identity to defraud a U.S. company into hiring them\u2014often for remote jobs with salaries in the hundreds of thousands of dollars range.\u201d<\/p>\n
Artificial intelligence has added an entirely new boost to the scheme. At the UN committee meeting, Evan Gordenker of cybersecurity firm Palo Alto Networks described a tactic his team had observed. In real-time, AI converted a North Korean accent into a convincing American-sounding voice during live job interviews. Gordenker said the North Korean regime has built an industrial hiring machine in which getting a job is itself the job, with specialists for crafting resumes, sitting for interviews, and others who do the actual work once a position is secured.\u00a0<\/p>\n
\u201cYour citizens are competing against a mechanized system that has been honed over years of training to exploit how we hire,\u201d Gordenker told delegates at the UN committee meeting in January. \u201cUntil we change the fundamental system of hiring, I don\u2019t think there is anything we can do centrally to make sure that this doesn\u2019t happen.\u201d<\/p>\n
Additionally, as the U.S. government\u2019s priorities have shifted toward Venezuela, China, and Iran, tracking DPRK infiltration could see fewer resources, said Michael \u201cBarni\u201d Barnhart, lead investigator from cybersecurity firm DTEX, and an expert in tracking DPRK IT workers. The U.S. participants play a key role in the scheme and much about the extent of their work is unclear. Barnhart said he often sees varying levels of participation by Americans in investigations. Some work as identity brokers\u2014providing the fake documents, names, and identifying information to North Koreans, while others agree to appear on camera for video interviews. Others show up to take drug tests or go into the office to fill a seat and follow a return-to-office directive while their work tasks are completed by North Koreans.<\/p>\n
\u201cWe will immediately knee-jerk assume they are a victim,\u201d said Barnhart about the American conspirators. \u201cAnd then once we start peeling back the onion, it\u2019s like, \u2018Oh, you\u2019re enjoying this.\u2019\u201d<\/p>\n
Cybersecurity firms, fintechs, and crypto-related firms see numerous fake applications from DPRK workers, said Barnhart. Insider intelligence firm DTEX, where Barnhart works, had 87 North Korean IT workers apply for jobs in recent years, he added.<\/p>\n
The Sting<\/p>\n
Barnhart and the other investigators in his network have been tracking several American identities for years that have circulated through the scheme and, despite being flagged by cybersecurity firms and law enforcement, have remained active as of last month. These real identities offer cover, a true social security number, and an identity veneer that the DPRK IT workers can use in their schemes to get jobs, even if the real American, who might have initially lent their identity to the scheme, has stopped participating.<\/p>\n
Barnhart and investigators he works with\u2014many of whom work under false identities to avoid retaliation\u2014set up an operation in 2024 to try to lure DPRK IT workers and American facilitators into the open to trace their tactics and methods. A partner created a front company and posted some job listings. It wasn\u2019t long before a\u00a0 candidate applied claiming to hail from Austin, Texas. On video calls however, the candidate didn\u2019t show any familiarity with typical Texan culture.\u00a0<\/p>\n
\u201cThere was nothing about football, nothing about barbecue,\u201d said Barnhart, who spoke during an DTEX panel in San Francisco in March. \u201cYou just peel back the onion a little bit, and you can see that the lies fall apart. Everything\u2019s an inch deep.\u201d<\/p>\n
Barnhart and his network wanted to see how far the scheme would stretch. They told the worker he needed to come on-site for identity verification where they expected the ruse to collapse.\u00a0<\/p>\n
Instead, a young man named \u201cDavid\u201d walked into the facility in person, presented a real government-issued ID, signed the paperwork, and passed the screening. David, whose last name Fortune is withholding for privacy reasons, was not the same person from the video interviews, he was a local proxy\u2014a real American lending his identity to someone else he likely never met face-to-face, said Barnhart.\u00a0<\/p>\n
\u201cWe thought it was a stolen identity until the real dude showed up,\u201d Barnhart said. \u201cThat\u2019s where we got to the facilitator stuff.\u201d<\/p>\n
The David who showed up claiming to be the applicant appeared to be a college student at the time. Barnhart surmised he was picking up some extra cash in a side deal he might not have truly understood.\u00a0<\/p>\n
\u201cWhen he was doing this with us, he was in college,\u201d said Barnhart. \u201cI bet he was just, like, a poor college kid.\u201d<\/p>\n
But the operation didn\u2019t end with David. When Barnhart\u2019s operation went to ship a \u201ccompany laptop\u201d to David in Texas, David said he\u2019d moved and asked that it be routed to Moorhead, Minnesota instead. There, a different facilitator, a man named \u201cAaron,\u201d accepted the package under David\u2019s name, said Barnhart. Aaron, whose last name Fortune is also withholding, got the laptop, set it up, and arranged it so a North Korean IT worker could perform the job tasks. Barnhart\u2019s team had digital forensics noting every step.\u00a0<\/p>\n
\u201cWe have confirmed. We sent hardware and infrastructure to his home and it was accepted,\u201d Barnhart said. \u201cThrough the partner company we were working with, we were able to see forensics on the laptop to show it was operational at his location.\u201d<\/p>\n
Multiple cybersecurity operators and law enforcement were alerted to Aaron and David\u2019s roles, but as far as Barnhart is aware, action has not yet been taken. Barnhart suspects that their work inside the scheme might be so low level that it doesn\u2019t meet the threshold for law enforcement working with limited resources.\u00a0<\/p>\n
Fortune corresponded with David and Aaron after being given their contact information from Barnhart.\u00a0<\/p>\n
David denied multiple times via LinkedIn messages that he ever accepted a laptop on behalf of anyone else and said he was unaware of any employment scheme. After being contacted by Fortune with questions, David said his identity was stolen and that he has discovered 10 jobs linked to his identity since 2021 when he was 19 years old.<\/p>\n
\u201cI actually went ahead and checked my IRS transcripts over the weekend and noticed that there were tons of w2s dating back to when I was 19 that I never applied or work [sic] for,\u201d David wrote in a LinkedIn message this month. \u201cSomeone definitely stole my identity back then and applied to jobs without my knowledge. Many had addresses from a completely different state. I went ahead and filled out the form 14039 to report it to the [IRS]. I also reported it to FTC.\u201d\u00a0\u00a0<\/p>\n
Aaron denied any knowledge of a laptop or North Korean IT worker scheme.\u00a0<\/p>\n
\u201cI don\u2019t know anything about that,\u201d Aaron wrote in an email to Fortune.\u00a0<\/p>\n
Regardless of how much the American facilitators know or don\u2019t know, the DPRK scheme relies on their participation, prosecutors said.\u00a0<\/p>\n
\u201cNorth Korean IT worker schemes would not be successful without U.S.-based facilitators,\u201d said Assistant Attorney General John Eisenberg in an April sentencing memo. The facilitators \u201cassist overseas remote IT workers by operating laptop farms, creating fictitious front companies and associated financial accounts, defrauding U.S. companies through the use of false and fake identification documents, and pocketing substantial sums of money for their roles.\u201d<\/p>\n
Identities that Never Die<\/p>\n
Whether or not Aaron or David were part of a scheme wittingly or unwittingly, their identities are still circulating through the North Korean IT worker pipeline, said Barnhart.\u00a0<\/p>\n
It sets the North Korean scheme apart from other garden-variety frauds because after a facilitator walks away, gets arrested, or just stops participating, their identities keep working. By mid-2024 for instance, Barnhart thought he\u2019d seen the last of Aaron and David. In June 2025, the FBI announced it had conducted 29 raids across 16 states, and had seized 21 fraudulent websites that were part of the scheme.\u00a0<\/p>\n
\u201cI thought I\u2019d never see [them] again, and moved on,\u201d said Barnhart.\u00a0<\/p>\n
Then in winter 2026, another investigator colleague texted him a screenshot showing that the two names were listed as board members of an American employment company for tech workers. The company serves as a front for North Koreans in the scheme so that they appear to be vetted, background-checked workers, when in reality they use stolen or fake identities shielding their identities as North Korean operatives.<\/p>\n
\u201cI was like, dammit,\u201d said Barnhart.\u00a0<\/p>\n
Barnhart said his team has also pinpointed a third identity floating around that also goes by \u201cDavid\u201d but with a different last name. The person behind all three identities, the one actually doing the work and logging into the computers from abroad, was tied to a single North Korean operative Barnhart and other investigators had been tracking for years.\u00a0\u00a0<\/p>\n
The real Davids and Aaron may have walked away from whatever arrangement they once had but their names and digital footprints have taken on a life of their own inside the North Korean apparatus. Fake LinkedIn profiles with their names have been created and deleted, and resumes with their identities still land on recruiters desks. The fake Aaron and the fake Davids are still \u201cvery alive, very well, and still doing IT work,\u201d said Barnhart.\u00a0<\/p>\n
The real people behind these identities \u201cmight not even know they\u2019re still part of the scam,\u201d said Barnhart.\u00a0<\/p>\n
Victim or Conspirator?<\/p>\n
The David-Aaron issue illustrates what can be a murky line between cybersecurity research, law enforcement, and responsible hiring. It\u2019s hard to draw a clean line and it might shift over time.\u00a0<\/p>\n
Mitchell Green, a security researcher who spoke on the panel with Barnhart, said he has worked on more than a dozen cases that have uncovered and fired remote North Korean IT workers employed at companies. He\u2019s seen a wide range of facilitator involvement.\u00a0<\/p>\n
\u201cSome of them are very smart, and they\u2019re getting really involved in the operation and they\u2019re essentially a force multiplier,\u201d Green said. \u201cWe have others who are very unassuming.\u201d<\/p>\n
The grooming process can also be extensive, Green said. North Korean IT workers invest heavily into building relationships with American conspirators, sometimes over months, in order to cultivate trust.\u00a0<\/p>\n
\u201cWe\u2019ve seen them actually, in some cases, helping the facilitators with homework,\u201d he said. \u201cThere\u2019s a lot of social engineering that happens on that side, too.\u201d<\/p>\n
Some DPRK workers have really leaned in on American corporate culture and norms. Barnhart said he\u2019s seen workers realize they\u2019re about to be caught and announce that they are taking medical leave. U.S. companies are typically restricted from contacting employees who are on protected leave. In one instance, an employee got another six paychecks because he understood he could use that time to generate additional revenue for the scheme, said Barnhart.\u00a0<\/p>\n
But for every Kejia Wang who receives a near-decade prison sentence, there are facilitators who were never raided, never charged, and whose stolen or borrowed identities remain permanently lodged in an operation they may have had a hand in during a moment of weakness. At the UN event, Palo Alto\u2019s Gordenker framed the stakes in human terms. The remote jobs that North Korean operatives are stealing\u2014flexible, well-paying positions that can be done from home\u2014are exactly the kind of work that Americans with disabilities, caregiving responsibilities, or limited mobility depend on.<\/p>\n
\u201cThese are typically well-paying jobs, sometimes jobs that can be taken from home,\u201d Gordenker said. \u201cFolks that have issues with accessibility, folks that have children that they must care for, folks that are caring for elders\u2014these are the types of jobs that would be gold mines for those families.\u201d<\/p>\n
#North #Korean #workers #stealing #remote #jobsand #Americans #helping<\/p>\n","protected":false},"excerpt":{"rendered":"
This month, a federal judge in Massachusetts sentenced Kejia \u201cTony\u201d Wang, a 42-year-old husband and…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[245],"tags":[821,2210,4787,10124,10125,6863,2520,6861,2545,1628,5215,317,624],"_links":{"self":[{"href":"https:\/\/stock999.top\/index.php?rest_route=\/wp\/v2\/posts\/4892"}],"collection":[{"href":"https:\/\/stock999.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stock999.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stock999.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stock999.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4892"}],"version-history":[{"count":0,"href":"https:\/\/stock999.top\/index.php?rest_route=\/wp\/v2\/posts\/4892\/revisions"}],"wp:attachment":[{"href":"https:\/\/stock999.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4892"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stock999.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4892"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stock999.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4892"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}