How North Korean Hackers Are Stealing Remote IT Jobs and Americans Are Helping

A federal judge sentenced Kejia "Tony" Wang to nine years in prison for leading a scheme that placed North Korean IT workers in remote tech jobs at over 100 U.S. companies, including Fortune 500 firms. The network stole identities of more than 80 Americans, forged documents, and generated over $5 million in salary payments. Another participant, Zhenxing Wang, received nearly eight years. Both were ordered to forfeit $600,000.

This case is part of a broader crackdown: at least seven Americans have been convicted since last year for aiding North Korea's government. The scheme, which the UN says has generated $2.8 billion in two years, funnels money to Kim Jong Un's nuclear weapons program. According to Assistant Attorney General John Eisenberg, "North Korean IT worker schemes would not be successful without U.S.-based facilitators."

How the Scheme Works

The operation relies on two types of American identities: stolen ones from background-check databases, and willingly rented ones. Facilitators may show up for interviews, accept laptops, provide urine samples for drug tests, or sit in offices pretending to work. They take a cut of the salary. Investigators say the line between victim and conspirator is often blurry.

AI-Powered Deception

Artificial intelligence has boosted the scheme. Palo Alto Networks described how AI converts North Korean accents into convincing American-sounding voices during live job interviews. The regime has built an "industrial hiring machine" with specialists for crafting resumes, sitting for interviews, and doing the actual work.

The Sting Operation

Cybersecurity firm DTEX set up a front company to lure DPRK workers. A candidate claiming to be from Austin, Texas, showed no familiarity with Texan culture. When asked to come on-site, a young man named "David" appeared with a real ID—a local proxy. The laptop was then shipped to another facilitator, "Aaron," in Minnesota. Both denied involvement when contacted by Fortune, but their identities remain active in the scheme.

Identities That Never Die

Even after facilitators walk away, their identities keep circulating. DTEX investigator Michael Barnhart tracked identities that were still being used years later. Fake LinkedIn profiles and resumes with their names continue to land on recruiters' desks. The real people behind them "might not even know they're still part of the scam."

Victim or Conspirator?

The grooming process can be extensive. DPRK workers build relationships over months, sometimes helping facilitators with homework. Some workers, when about to be caught, announce medical leave to get extra paychecks. The remote jobs stolen are exactly the kind that Americans with disabilities or caregiving responsibilities depend on.

Key takeaway: This is a sophisticated, ongoing threat that exploits remote work and U.S. hiring practices. Companies must strengthen identity verification and be vigilant against AI-powered deception.