Four U.S. citizens and one Ukrainian national have pleaded guilty in federal court to participating in a covert scheme that helped North Korean workers illegally secure remote IT jobs with American companies, the U.S. Department of Justice announced Friday. The pleas came alongside two sweeping forfeiture complaints targeting over $15 million in stolen virtual currency from Pyongyang-backed cyber operations, including funds seized by the FBI earlier this year.
According to prosecutors, the operation functioned like a shadow pipeline—North Korean workers masqueraded as U.S.-based tech professionals using stolen identities, while the illicit earnings helped bankroll the regime’s weapons programs in defiance of international sanctions.
“These actions demonstrate the department’s comprehensive approach to disrupting North Korean efforts to finance their weapons program on the backs of Americans,” Assistant Attorney General John A. Eisenberg said.
How the Fraud Worked
Stolen Identities, Hosted Laptops, and Faked Locations
Court filings show that the U.S.- and Ukraine-based facilitators provided their own identities—or those stolen from innocent Americans—to North Korean operatives applying for remote jobs. They also hosted company-issued laptops at their homes across the United States, creating the illusion that the IT workers were operating domestically.
The DOJ says the scheme targeted 136 U.S. companies, generated roughly $2.2 million for the DPRK, and compromised the identities of more than 18 U.S. individuals.
A 2022 advisory from the FBI, Treasury, and State Department previously warned that North Korean IT workers can earn up to $300,000 annually, collectively funneling hundreds of millions into programs run by the DPRK Ministry of Defense.
