On April 15, 2026, the Department of Justice (DOJ) announced that two U.S. nationals, Kejia Wang and Zhenxing Wang, were sentenced for facilitating a North Korean IT worker scheme that compromised over 80 U.S. identities, with sentences of 108 and 92 months respectively, supervised release, and forfeiture orders.
The scheme involved the defendants operating “laptop farms” and using the stolen identities of over 80 legitimate U.S. citizens, with co-conspirators posting as remote workers to obtain employment at more than 100 U.S. companies. Once the stolen identities were used to obtain employment, a company laptop would be sent by the unsuspecting company to the “new employee” at the laptop farm. Once the laptop was received, the operators of the laptop farms would allow remote access to the devices, enabling North Korean actors to infiltrate the companies’ system with access to sensitive data, including ITAR-controlled data. The scheme netted over $5M for the North Korean government, considered by the DOJ as a “hostile foreign regime.”
The scheme took place between 2021 and 2024. One of the defendants served as “the U.S.-based manager for the scheme, supervising at least five facilitators in the United States who collectively hosted hundreds of computers of U.S. victim companies at their residences.”
Eight indicted co-conspirators remain at large, with a $5M reward announced for information leading to disruption of DPRK financial mechanisms; previous seizures of domains and accounts occurred in June and October 2025.
KnowB4 was one of the first companies to alert others about the scheme in its July 23, 2025 blog, stating,
First of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems. This is not a data breach notification, there was none. See it as an organizational learning moment I am sharing with you. If it can happen to us, it can happen to almost anyone. Don’t let it happen to you.
The blog is extremely helpful in understanding how the scheme worked and how over 100 U.S. companies fell victim to it. It is also illustrative of how sophisticated and devious foreign adversaries are to obtain money to use against the U.S.
Although these two defendants have been sentenced, the North Korean worker scheme continues to be operated by others and is still a threat. As recently as March 6, 2026, Microsoft Threat Intelligence sent a warning that the operatives are now using AI to shorten the time it takes them to create fake identities to start the scheme. Companies should continue to be on the alert for remote worker fraud schemes and implement policies and procedures to prevent becoming victimized.
