This month, a federal judge in Massachusetts sentenced Kejia “Tony” Wang, a 42-year-old husband and father from New Jersey, to nine years in prison for spearheading what prosecutors described as an international fraud operation that placed North Korean IT workers in tech jobs at more than 100 American companies—including Fortune 500 firms.
Over the course of three years, Wang’s network stole the identities of more than 80 Americans, forged fake social security cards and California driver’s licenses with photos of the North Korean operatives, filed false employment forms with the Department of Homeland Security, and doctored tax documents that went to the IRS and Social Security Administration. The scheme, in which the North Koreans got hired using Americans’ stolen identities, generated more than $5 million in salary payments from the victim companies. The subsequent fallout once it was uncovered caused at least $3 million in legal fees and computer clean-up costs at businesses in 28 states and the District of Columbia, court records show. Another participant in the scheme, Zhenxing Wang, 39—no relation to Kejia Wang, but a friend since both men arrived from China nearly 20 years ago—was sentenced to nearly eight years in prison. The court ordered both to forfeit $600,000, collectively, that they were paid from their part in the fraud.
The Wang prison terms bring the number of Americans convicted for aiding North Korean leader Kim Jong Un’s government to at least seven since last year. The group includes a former active-duty U.S. Army soldier, an Arizona woman, a nail technician from Maryland, and two men from California. All earned thousands of dollars for helping North Koreans collect millions in salary for doing remote IT jobs. The wave of sentencing began in 2025 with a guilty plea by Christina Chapman, a 51-year-old woman who cared for 90 laptops in her home while helping her North Korean handlers get jobs at 309 companies, raking in $17.1 million. The salaries are diverted to Kim’s government to pay for nuclear weapons development, officials say.
“North Korea turns around and uses the money it steals through these operations to fund the unlawful development of weapons of mass destruction—nuclear bombs, for example, and ballistic missiles with which to target the United States and our allies,” Jonathan Fritz, principal deputy assistant secretary of state for East Asia Pacific affairs, said at a UN committee meeting on the North Korean fraud scheme in January.
The recent spate of prison terms is meant to be a deterrent to curious Americans who see participating in the scheme as a get-money-quick option, but investigators say this is only the tip of the iceberg when it comes to the U.S. muscle undergirding the fraud scheme. Some American facilitators are sophisticated, some are naive, and others walked away from the scheme years ago. However, involvement in this fraud isn’t casual. American identities are still circulating through the North Korean fraud apparatus after they’ve completely moved on with their lives, investigators say.
The scheme relies on two types of American identities. In the Wang case, they were harvested from background-check databases and attached to forged documents without the real Americans’ knowledge. In others, identities are willingly rented by participants who might go even further by showing up for interviews, accepting laptops, giving urine samples or blood for drug tests, or sitting in offices pretending to work. They take a cut of the salary in exchange for providing cover to the North Korean operators so they can pass as American IT workers. In practice, investigators say, the two categories blur. Some facilitators are unwitting victims while others claim identity theft after the fact. To the North Korean IT workers, both are interchangeable.
The North Korean IT worker scheme, in which operatives get remote tech jobs at U.S. and European companies, is an important part of a broad campaign of malfeasance by the Democratic People’s Republic of Korea (DPRK) that has generated about $2.8 billion in the past two years to help fund the country’s nuclear weapon ambitions, according to the UN’s Multilateral Sanctions Monitoring Committee. The committee, which tracks DPRK sanctions violations and evasion tactics, revealed in January that the scheme has now victimized 40 countries around the globe. A large portion of that total is the result of crypto theft, but the IT worker scheme reliably generates $250 million to $600 million per year in fraudulent salaries, the UN has found.
“North Koreans are taking American jobs, and they’re stealing cryptocurrency from American owners of said cryptocurrency,” said Fritz. “A North Korean IT worker can live in Laos, steal the identity of a Ukrainian online, and then use that identity to defraud a U.S. company into hiring them—often for remote jobs with salaries in the hundreds of thousands of dollars range.”
Artificial intelligence has added an entirely new boost to the scheme. At the UN committee meeting, Evan Gordenker of cybersecurity firm Palo Alto Networks described a tactic his team had observed. In real-time, AI converted a North Korean accent into a convincing American-sounding voice during live job interviews. Gordenker said the North Korean regime has built an industrial hiring machine in which getting a job is itself the job, with specialists for crafting resumes, sitting for interviews, and others who do the actual work once a position is secured.
“Your citizens are competing against a mechanized system that has been honed over years of training to exploit how we hire,” Gordenker told delegates at the UN committee meeting in January. “Until we change the fundamental system of hiring, I don’t think there is anything we can do centrally to make sure that this doesn’t happen.”
Additionally, as the U.S. government’s priorities have shifted toward Venezuela, China, and Iran, tracking DPRK infiltration could see fewer resources, said Michael “Barni” Barnhart, lead investigator from cybersecurity firm DTEX, and an expert in tracking DPRK IT workers. The U.S. participants play a key role in the scheme and much about the extent of their work is unclear. Barnhart said he often sees varying levels of participation by Americans in investigations. Some work as identity brokers—providing the fake documents, names, and identifying information to North Koreans, while others agree to appear on camera for video interviews. Others show up to take drug tests or go into the office to fill a seat and follow a return-to-office directive while their work tasks are completed by North Koreans.
“We will immediately knee-jerk assume they are a victim,” said Barnhart about the American conspirators. “And then once we start peeling back the onion, it’s like, ‘Oh, you’re enjoying this.’”
Cybersecurity firms, fintechs, and crypto-related firms see numerous fake applications from DPRK workers, said Barnhart. Insider intelligence firm DTEX, where Barnhart works, had 87 North Korean IT workers apply for jobs in recent years, he added.
The Sting
Barnhart and the other investigators in his network have been tracking several American identities for years that have circulated through the scheme and, despite being flagged by cybersecurity firms and law enforcement, have remained active as of last month. These real identities offer cover, a true social security number, and an identity veneer that the DPRK IT workers can use in their schemes to get jobs, even if the real American, who might have initially lent their identity to the scheme, has stopped participating.
Barnhart and investigators he works with—many of whom work under false identities to avoid retaliation—set up an operation in 2024 to try to lure DPRK IT workers and American facilitators into the open to trace their tactics and methods. A partner created a front company and posted some job listings. It wasn’t long before a candidate applied claiming to hail from Austin, Texas. On video calls however, the candidate didn’t show any familiarity with typical Texan culture.
“There was nothing about football, nothing about barbecue,” said Barnhart, who spoke during an DTEX panel in San Francisco in March. “You just peel back the onion a little bit, and you can see that the lies fall apart. Everything’s an inch deep.”
Barnhart and his network wanted to see how far the scheme would stretch. They told the worker he needed to come on-site for identity verification where they expected the ruse to collapse.
Instead, a young man named “David” walked into the facility in person, presented a real government-issued ID, signed the paperwork, and passed the screening. David, whose last name Fortune is withholding for privacy reasons, was not the same person from the video interviews, he was a local proxy—a real American lending his identity to someone else he likely never met face-to-face, said Barnhart.
“We thought it was a stolen identity until the real dude showed up,” Barnhart said. “That’s where we got to the facilitator stuff.”
The David who showed up claiming to be the applicant appeared to be a college student at the time. Barnhart surmised he was picking up some extra cash in a side deal he might not have truly understood.
“When he was doing this with us, he was in college,” said Barnhart. “I bet he was just, like, a poor college kid.”
But the operation didn’t end with David. When Barnhart’s operation went to ship a “company laptop” to David in Texas, David said he’d moved and asked that it be routed to Moorhead, Minnesota instead. There, a different facilitator, a man named “Aaron,” accepted the package under David’s name, said Barnhart. Aaron, whose last name Fortune is also withholding, got the laptop, set it up, and arranged it so a North Korean IT worker could perform the job tasks. Barnhart’s team had digital forensics noting every step.
“We have confirmed. We sent hardware and infrastructure to his home and it was accepted,” Barnhart said. “Through the partner company we were working with, we were able to see forensics on the laptop to show it was operational at his location.”
Multiple cybersecurity operators and law enforcement were alerted to Aaron and David’s roles, but as far as Barnhart is aware, action has not yet been taken. Barnhart suspects that their work inside the scheme might be so low level that it doesn’t meet the threshold for law enforcement working with limited resources.
Fortune corresponded with David and Aaron after being given their contact information from Barnhart.
David denied multiple times via LinkedIn messages that he ever accepted a laptop on behalf of anyone else and said he was unaware of any employment scheme. After being contacted by Fortune with questions, David said his identity was stolen and that he has discovered 10 jobs linked to his identity since 2021 when he was 19 years old.
“I actually went ahead and checked my IRS transcripts over the weekend and noticed that there were tons of w2s dating back to when I was 19 that I never applied or work [sic] for,” David wrote in a LinkedIn message this month. “Someone definitely stole my identity back then and applied to jobs without my knowledge. Many had addresses from a completely different state. I went ahead and filled out the form 14039 to report it to the [IRS]. I also reported it to FTC.”
Aaron denied any knowledge of a laptop or North Korean IT worker scheme.
“I don’t know anything about that,” Aaron wrote in an email to Fortune.
Regardless of how much the American facilitators know or don’t know, the DPRK scheme relies on their participation, prosecutors said.
“North Korean IT worker schemes would not be successful without U.S.-based facilitators,” said Assistant Attorney General John Eisenberg in an April sentencing memo. The facilitators “assist overseas remote IT workers by operating laptop farms, creating fictitious front companies and associated financial accounts, defrauding U.S. companies through the use of false and fake identification documents, and pocketing substantial sums of money for their roles.”
Identities that Never Die
Whether or not Aaron or David were part of a scheme wittingly or unwittingly, their identities are still circulating through the North Korean IT worker pipeline, said Barnhart.
It sets the North Korean scheme apart from other garden-variety frauds because after a facilitator walks away, gets arrested, or just stops participating, their identities keep working. By mid-2024 for instance, Barnhart thought he’d seen the last of Aaron and David. In June 2025, the FBI announced it had conducted 29 raids across 16 states, and had seized 21 fraudulent websites that were part of the scheme.
“I thought I’d never see [them] again, and moved on,” said Barnhart.
Then in winter 2026, another investigator colleague texted him a screenshot showing that the two names were listed as board members of an American employment company for tech workers. The company serves as a front for North Koreans in the scheme so that they appear to be vetted, background-checked workers, when in reality they use stolen or fake identities shielding their identities as North Korean operatives.
“I was like, dammit,” said Barnhart.
Barnhart said his team has also pinpointed a third identity floating around that also goes by “David” but with a different last name. The person behind all three identities, the one actually doing the work and logging into the computers from abroad, was tied to a single North Korean operative Barnhart and other investigators had been tracking for years.
The real Davids and Aaron may have walked away from whatever arrangement they once had but their names and digital footprints have taken on a life of their own inside the North Korean apparatus. Fake LinkedIn profiles with their names have been created and deleted, and resumes with their identities still land on recruiters desks. The fake Aaron and the fake Davids are still “very alive, very well, and still doing IT work,” said Barnhart.
The real people behind these identities “might not even know they’re still part of the scam,” said Barnhart.
Victim or Conspirator?
The David-Aaron issue illustrates what can be a murky line between cybersecurity research, law enforcement, and responsible hiring. It’s hard to draw a clean line and it might shift over time.
Mitchell Green, a manager at Aon’s Cyber Solutions unit who spoke on the panel with Barnhart, said he has worked on more than a dozen cases that have uncovered and fired remote North Korean IT workers employed at companies. He’s seen a wide range of facilitator involvement.
“Some of them are very smart, and they’re getting really involved in the operation and they’re essentially a force multiplier,” Green said. “We have others who are very unassuming.”
The grooming process can also be extensive, Green said. North Korean IT workers invest heavily into building relationships with American conspirators, sometimes over months, in order to cultivate trust.
“We’ve seen them actually, in some cases, helping the facilitators with homework,” he said. “There’s a lot of social engineering that happens on that side, too.”
Some DPRK workers have really leaned in on American corporate culture and norms. Barnhart said he’s seen workers realize they’re about to be caught and announce that they are taking medical leave. U.S. companies are typically restricted from contacting employees who are on protected leave. In one instance, an employee got another six paychecks because he understood he could use that time to generate additional revenue for the scheme, said Barnhart.
But for every Kejia Wang who receives a near-decade prison sentence, there are facilitators who were never raided, never charged, and whose stolen or borrowed identities remain permanently lodged in an operation they may have had a hand in during a moment of weakness. At the UN event, Palo Alto’s Gordenker framed the stakes in human terms. The remote jobs that North Korean operatives are stealing—flexible, well-paying positions that can be done from home—are exactly the kind of work that Americans with disabilities, caregiving responsibilities, or limited mobility depend on.
“These are typically well-paying jobs, sometimes jobs that can be taken from home,” Gordenker said. “Folks that have issues with accessibility, folks that have children that they must care for, folks that are caring for elders—these are the types of jobs that would be gold mines for those families.”
