North Korean Operatives, U.S. Accomplices Infiltrated Fortune 500 Firms in Massive Remote Work Fraud Scheme

The U.S. Department of Justice has unveiled the details of a sweeping criminal operation in which North Korean IT operatives, aided by American accomplices, fraudulently infiltrated more than 300 companies—including members of the Fortune 500—generating millions of dollars in illicit income and compromising national security-sensitive data.

Federal prosecutors allege that the scheme, which spanned several years, involved North Korean nationals posing as remote IT contractors, using stolen identities of American citizens to gain employment within U.S.-based companies. These impostors reportedly secured jobs at a range of major firms in finance, healthcare, aerospace, and technology—positions that gave them not only a source of income, but access to internal systems and, in some cases, classified intellectual property.

The operation was allegedly facilitated by several U.S. citizens who knowingly assisted in falsifying employment documents, handling payroll, and providing access to equipment that allowed the North Koreans to mask their locations and identities. Among the accused is Zhenxing “Danny” Wang, a New Jersey resident arrested last week, who is believed to have played a central role in coordinating domestic logistics and financial flows.

Authorities say the fraudulent work generated more than $6.8 million in revenue, some of which was funneled directly back to the North Korean regime. Investigators believe these funds may have supported sanctioned weapons development programs, highlighting the national security stakes behind what at first glance appeared to be a digital employment scam.

In a joint statement, the FBI and Department of Homeland Security called the operation “a sophisticated and deeply concerning breach of American corporate and national defenses.” They noted that the accused used tactics such as “laptop farms,” VPN masking, and layered proxy networks to obscure their true identities and physical locations—many traced back to North Korea and China.

The scale of the breach stunned officials, who confirmed that at least 100 U.S. citizens had their identities stolen and used without consent. Sensitive projects, including one involving defense aerospace technology, were accessed during the scheme. The Department of State has since issued a “critical-level” alert to businesses, urging firms that employ remote workers to immediately review authentication protocols and location verification practices.

As of now, more than 20 individuals face charges, with further indictments expected. Authorities also confirmed that they have seized over 200 laptops, multiple crypto wallets, and more than $1.5 million in assets connected to the operation.

The case represents one of the most significant examples to date of how hostile foreign actors can exploit the rise of remote work to bypass traditional security barriers. As investigations continue, officials warn that similar schemes may already be underway in other industries and jurisdictions.

The DOJ reaffirmed its commitment to protecting the integrity of U.S. systems, stating: “This was not just a fraud—it was a strategic infiltration, executed quietly, and designed to fund a foreign government’s weapons program through our own economy.”