US Nationals and Foreign Accomplices Plead Guilty in North Korean IT Worker Employment and Crypto Laundering Scheme
The US Department of Justice announced multiple guilty pleas from US citizens and a Ukrainian national for their roles in facilitating North Korean IT workers' fraudulent employment at US companies and laundering millions in illicit proceeds. The scheme involved US nationals providing their identities, hosting company laptops, and even taking drug tests on behalf of North Korean operatives, enabling them to bypass vetting processes and earn over $2 million in salaries. Ukrainian national Oleksandr Didenko also pleaded guilty to wire fraud and identity theft, having stolen and sold US citizen identities to North Korean IT workers, and operated a site that managed hundreds of stolen identities and coordinated laptop farms across several US states.
Authorities seized more than $15 million in cryptocurrency linked to North Korean facilitators, and Didenko agreed to forfeit over $1.4 million. The Justice Department highlighted these convictions and asset seizures as significant progress in disrupting North Korea's use of remote IT work and cryptocurrency theft to fund its regime. The cases underscore the complexity and international reach of North Korea's cyber-enabled financial schemes, as well as the ongoing efforts by US law enforcement to identify and prosecute both domestic and foreign enablers.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Two U.S. laptop-farm operators sentenced in DPRK IT worker scheme
U.S. federal courts sentenced Matthew Issac Knoot of Tennessee and Erick Ntekereze Prince of New York to 18 months in prison for operating laptop farms that helped North Korean IT workers pose as U.S.-based employees. Prosecutors said the scheme generated more than $1.2 million for Pyongyang after victim companies shipped work laptops to the defendants' residences.
U.S. offers $5 million reward on North Korean IT worker conspirators
Alongside the sentencing announcement, the U.S. government offered rewards of up to $5 million for information that could help disrupt North Korean fake IT worker schemes and identify additional people involved. The move expanded the response beyond prosecutions to incentivize new leads on the broader network.
Two U.S. nationals sentenced in North Korean IT worker scheme
The U.S. Department of Justice announced the sentencings of Kejia Wang, 42, and Zhenxing Wang, 39, for helping North Korean remote IT workers fraudulently obtain jobs at more than 100 U.S. companies. Authorities said the operation used stolen identities from at least 80 U.S. persons and generated millions in revenue for North Korea.
FBI and DOJ urge stronger remote-worker vetting by employers
Following the guilty pleas and enforcement actions, U.S. authorities warned that North Korea's fake IT worker operations remain a growing threat to private-sector organizations. The FBI urged companies to strengthen hiring and remote-worker verification practices to detect fraudulent applicants and prevent further infiltration.
Five defendants plead guilty in North Korean IT worker cases
The DOJ disclosed that five people, including multiple U.S. citizens and Ukrainian national Oleksandr Didenko, pleaded guilty for roles in helping North Korean IT workers evade sanctions and infiltrate U.S. companies. The charges included wire fraud conspiracy, aggravated identity theft, and related offenses tied to identity brokering and laptop-farm operations.
DOJ seizes over $15 million tied to APT38 crypto thefts
The U.S. Department of Justice announced the seizure or sequestration of more than $15 million in cryptocurrency proceeds linked to North Korean state-sponsored threat activity associated with APT38. Officials described the action as part of a broader effort to disrupt Pyongyang's cyber-enabled revenue streams.
DOJ indicts five in DPRK remote IT worker fraud scheme
The U.S. Department of Justice announced indictments against two North Korean nationals and three facilitators for a multi-year scheme that used stolen identities and U.S.-based laptop farms to obtain remote IT jobs at American companies. Authorities also arrested two U.S. defendants, searched a North Carolina laptop-farm location, and said Dutch authorities arrested another defendant on a U.S. warrant.
North Korean operatives infiltrate at least 136 U.S. companies
Across the fake IT worker operation, North Korean personnel used fraudulent identities and U.S.-based support networks to infiltrate at least 136 American companies. The activity generated roughly $2 million in illicit earnings, including about $1.28 million in salary payments in one laptop-farm scheme.
Ukrainian broker steals and sells U.S. identities for the scheme
A Ukrainian national, Oleksandr Didenko, stole and sold U.S. identities that were used by overseas IT workers, including North Koreans, to fraudulently secure employment at U.S. companies. He later agreed to forfeit more than $1.4 million tied to the activity.
North Korean IT worker scheme operates through U.S. facilitators
From at least June 2020, U.S.-based facilitators helped North Korean IT workers obtain remote jobs at American companies by using borrowed or stolen identities, hosting company laptops in the United States, and enabling remote access. One scheme described by the DOJ continued until August 2024 and affected dozens of U.S. firms.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
34 references tracked. Mallory keeps watching after this page renders.
Two US nationals sentenced for role in prolific fake worker laptop farms | IT Pro
itpro.com
Open sourceTwo US Men Sentenced for Helping North Korean Hackers Infiltrate US Firms
hackread.com
Open sourceNorth Korean fake remote worker scam lands two Americans 18-month prison sentences for hosting laptops - US firms unknowingly shipped laptops to “employees” who secretly worked from overseas via remote desktop, generating $1.2 million for Pyongyang | Tom's Hardware
tomshardware.com
Open sourceHelping North Korean IT remote workers is becoming a fast track to prison - Help Net Security
helpnetsecurity.com
Open sourceFive plead guilty to helping North Koreans infiltrate US firms
bleepingcomputer.com
Open sourceDOJ Continues Crackdown on North Korea's Cyber Schemes
bankinfosecurity.com
Open sourceDOJ Continues Crackdown on North Korea's Cyber Schemes
govinfosecurity.com
Open sourceOffice of Public Affairs | Two North Korean Nationals and Three Facilitators Indicted for Multi-Year Fraudulent Remote Information Technology Worker Scheme that Generated Revenue for the Democratic People’s Republic of Korea | United States Department of Justice
justice.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ukrainian Sentenced for Enabling North Korean Remote IT Worker Infiltration of U.S. Firms
U.S. authorities sentenced **Oleksandr Didenko**, a Ukrainian national, to **five years in prison** for running a scheme that provided **stolen U.S. identities** to North Korean IT workers so they could fraudulently obtain remote jobs at U.S. companies. He pleaded guilty in **November 2025** to charges including **aggravated identity theft** and **wire fraud conspiracy**, and was also ordered to forfeit **more than $1.4 million** (including seized cash and cryptocurrency). Prosecutors and the FBI described the activity as both a fraud operation and a national security threat, alleging it helped fund the North Korean regime. Court records say Didenko stole identities and sold “proxy” identities/accounts via **UpWorkSell / `upworksell.com`** (seized by the U.S. Justice Department), creating thousands of fraudulent accounts across freelance job platforms and related services. The operation supported North Korean workers in securing roles at **40 U.S. companies** and relied on **“laptop farms”** and other infrastructure to make activity appear U.S.-based; Didenko facilitated at least **871 proxy identities** and helped coordinate multiple laptop-farm locations (including in **Virginia, Tennessee, and California**, with additional locations reported elsewhere). One laptop-farm operator cited in reporting was **Christina Marie Chapman** in Arizona, who allegedly hosted systems from her home and was separately charged/arrested in connection with the broader scheme.
Mar 23, 2026
OFAC Sanctions Facilitators of North Korean IT Worker Fraud Using Cryptocurrency
The U.S. Treasury Department’s **Office of Foreign Assets Control (OFAC)** sanctioned **six individuals and two entities** for supporting North Korean government-directed **fraudulent IT worker schemes** that covertly place DPRK nationals into jobs at legitimate companies (including U.S. firms) using **stolen identities, fake personas, and fraudulent documentation**. U.S. officials said the program generated **nearly $800 million in 2024**, with wages largely diverted to fund the DPRK’s **WMD and ballistic missile programs**, and noted that some IT workers have also been linked to **malware introduction and data theft/extortion** inside victim environments.
Mar 21, 2026
US Sanctions North Korean Entities for Cybercrime and IT Worker Fraud
The U.S. Treasury Department imposed sanctions on two North Korean financial institutions and eight individuals for laundering cryptocurrency stolen through cybercrime and fraudulent IT worker schemes. The designated entities include Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), as well as their executives and financial representatives operating in China and Russia. These individuals and organizations are accused of facilitating the movement of tens of millions of dollars in violation of UN sanctions, with funds linked to ransomware attacks and other cyber-enabled crimes targeting U.S. victims. According to U.S. officials, North Korean cybercriminals have stolen over $3 billion in cryptocurrency over the past three years, employing advanced malware and social engineering tactics. Additionally, North Korean IT workers have generated hundreds of millions of dollars annually by concealing their identities and securing freelance work globally, with the proceeds supporting the regime's nuclear weapons program. The sanctions block all property and interests of the designated parties within U.S. jurisdiction, aiming to disrupt North Korea's ability to fund activities that threaten U.S. and global security.
Mar 21, 2026