DOJ indicts two Americans for running laptop farm used in North Korea IT worker scam

The Justice Department indicted five people for their role in a scheme that allowed North Koreans to gain employment with at least 64 U.S. companies and earn hundreds of thousands of dollars for Pyongyang’s government. 

North Korean nationals Jin Sung-Il and Pak Jin-Song were indicted alongside Americans Erick Ntekereze Prince and Emanuel Ashtor as well as Mexican national Pedro Ernesto Alonso De Los Reyes.

Ntekereze and Ashtor were arrested by the FBI, who found evidence of a “laptop farm” at Ashtor’s home during a raid. The devices helped the North Koreans appear as if they worked from the United States, according to the indictment. 

Alonso De Los Reyes lives in Sweden but was arrested in the Netherlands on January 10 after a U.S. warrant was issued. 

The team made about $866,255 through the scheme and laundered the funds through a Chinese bank account, according to the indictment. The scheme ran from April 2018 to August 2024. 

“The FBI investigation has uncovered a years-long plot to install North Korean IT workers as remote employees to generate revenue for the DPRK regime and evade sanctions,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. 

The indictment notes that Jin and Pak were not the only North Koreans involved in the scheme. They all used forged or stolen documents like U.S. passports to obtain IT jobs at the U.S. companies. Jin allegedly used Alonso De Los Reyes’s identity and documents with his consent to apply for at least one job. 

Once they got the jobs, the companies sent work laptops to Ntekereze and Ashtor, who allegedly installed remote access software like Anydesk and TeamViewer on them — allowing the North Koreans to work remotely. The two also helped the North Koreans launder the money made through the work. 

Ntekereze and Ashtor both ran IT staffing companies that were used as cover to get the North Koreans hired. According to the indictment, some of the companies affected include a multinational retail corporation, a U.S. financial institution, a cruise line and a tech company. 

Ntekereze was paid more than $89,000 and Ashtor earned about $40,000 from the scheme. 

All five of the people named in the indictment are facing charges of conspiracy to cause damage to a protected computer, conspiracy to commit wire fraud and mail fraud, conspiracy to commit money laundering and conspiracy to transfer false identification documents. They are facing a maximum penalty of 20 years in prison. 

Jin and Pak, both of whom reside in Liaoning Province, China, are facing an additional charge of conspiracy to violate the International Emergency Economic Powers Act. 

The Justice Department noted that as part of its “DPRK RevGen: Domestic Enabler” Initiative, they have sought to find and shut down laptop farms run by U.S. citizens as part of the scheme. 

Last year, the department disclosed two operations, arresting a man in Tennessee and a woman in Arizona for running laptop farms that North Koreans used as a way to conceal their identity. 

Over the last four years, U.S. agencies have uncovered a wide ranging effort by North Korea to have their citizens employed at U.S. companies — both to earn high-paying IT salaries that can be funneled back to the government and to get access to sensitive documents that can be stolen or sold. 

The Justice Department said North Korea has sent “thousands” of skilled IT workers to  China, Russia and Southeast Asia with the goal of getting hired as freelance IT workers. 

The indictment said North Korean IT workers “could individually earn more than $300,000 a year in some cases, and teams of IT workers could collectively earn more than $3 million annually.” Another indictment released in December said 14 North Koreans were able to earn $88 million over several years through IT salaries and stolen information extortion. 

But the North Korean government withholds up to 90 percent of the wages, allowing the country to earn “hundreds of millions of dollars” from the scheme, according to prosecutors. 

“The Department of Justice remains committed to disrupting North Korea’s cyber-enabled sanctions-evading schemes, which seek to trick U.S. companies into funding the North Korean regime’s priorities, including its weapons programs,” said Supervisory Official Devin DeBacker of the Justice Department's National Security Division. 

Increasing extortion

Alongside Thursday’s indictments, the FBI released an advisory confirming industry reports that as law enforcement scrutiny around the IT worker scheme has increased, more North Koreans are now attempting to extort companies.

“In recent months, in addition to data extortion, FBI has observed North Korean IT workers leveraging unlawful access to company networks to exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities, and conduct revenue-generating activity on behalf of the regime,” the FBI said.

“After being discovered on company networks, North Korean IT workers have extorted victims by holding stolen proprietary data and code hostage until the companies meet ransom demands.”

The FBI added that in some instances, North Korean IT workers have released proprietary code from the companies that hired them or copied company code repositories, such as GitHub, to their own user profiles and personal cloud accounts. 

North Korean IT workers “could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices and for further compromise opportunities,” the FBI said. 

Last week, the U.S. sanctioned two North Korean nationals and several companies based in Laos and China for their work on the IT worker scheme. The U.S. also joined South Korea and Japan in releasing a statement warning the cryptocurrency industry about North Korean cyberattacks as well as the continued effort to place illegal IT workers within their companies.

Multiple Japanese companies have also been impacted by the North Korean IT worker scam as well, according to researchers at Nisos.