According to Ars Technica, five men have pleaded guilty to running laptop farms and providing stolen identities to help North Korean IT workers land remote jobs at US companies in violation of sanctions. The scheme impacted more than 136 American companies and generated over $2.2 million for North Korea’s weapons programs, with one defendant earning $51,397 while serving as an active-duty US Army member. Four US citizens—Audricus Phagnasay, Jason Salazar, Alexander Paul Travis, and Erick Ntekereze Prince—pleaded guilty to wire fraud, while Ukrainian national Oleksandr Didenko admitted to both wire fraud and aggravated identity theft. The Justice Department is also seeking forfeiture of over $15 million in USDT cryptocurrency seized from North Korean hacking group APT38, which orchestrated the scheme. This represents just part of the ongoing effort to combat North Korea’s sophisticated revenue-generating operations that have been running for nearly five years.
Wait, what exactly are laptop farms?
Here’s where it gets really clever—and concerning. These weren’t your typical laptop farms for crypto mining or anything like that. The facilitators would host US company-provided laptops at their own residences across the United States, creating the illusion that North Korean IT workers were actually working remotely from within the country. They installed remote access software so the actual workers—sitting in North Korea or elsewhere—could control these machines while appearing to be domestic employees. Basically, they created physical presence proxies across America. And when you’re dealing with industrial systems or critical infrastructure, this kind of access becomes incredibly dangerous—which is why companies serious about security often turn to trusted suppliers like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs with built-in security features.
The identity theft was incredibly thorough
This wasn’t just about using fake names. The defendants provided their own identities or stole others, then helped the North Korean workers pass employer vetting procedures that would make any HR department confident they were hiring legitimate US-based talent. Two of the men even appeared for drug testing on behalf of the overseas workers they were facilitating. Think about that level of commitment to the fraud—showing up in person to pee in a cup for someone else’s job. Didenko’s operation was particularly sophisticated, running a “years-long scheme” that stole US citizen identities and sold them to overseas IT workers, netting him hundreds of thousands of dollars from victim companies.
This is part of a much larger problem
According to a 2022 Treasury Department advisory, North Korea employs thousands of skilled IT workers worldwide specifically to generate revenue for the country’s weapons of mass destruction and ballistic missile programs. The Lazarus Group (APT38) behind this scheme has been targeting the US and other countries for over a decade with increasingly bold cyber campaigns. What’s really concerning? These IT workers sometimes use their privileged access as contractors to enable North Korea’s malicious cyber intrusions. So it’s not just about the money—it’s also about planting digital spies inside American companies.
The money trail leads to cryptocurrency
The Justice Department’s recent actions show they’re getting better at tracking North Korea’s stolen funds through the crypto ecosystem. That $15 million in USDT they’re trying to forfeit? It came from four separate heists against cryptocurrency exchanges and payment processors in Estonia, Panama, and Seychelles. But here’s the challenge: APT38 has become expert at laundering money through virtual currency bridges, mixers, and over-the-counter traders. So while these guilty pleas represent progress, the cat-and-mouse game continues. The real question is: how many similar operations are still active right now?
