Companies Remain at Risk for Remote IT Worker Fraud; Should Consider Appropriate Mitigation Strategies

The U.S. Department of Justice (DOJ) recently announced a coordinated, nationwide enforcement action countering the Democratic People’s Republic of Korea (DPRK or “North Korea”) government’s efforts to finance its regime through remote worker fraud that has affected numerous U.S. companies. The June 2025 announcement included newly publicized information regarding two indictments, an arrest, searches of 29 known or suspected “laptop farms,” and the seizure of 29 financial accounts used to launder illicit funds. These efforts are the latest in a series of law enforcement actions prioritizing targeting and disrupting the DPRK’s illicit revenue generation via U.S.-based enablers in the IT sector. The announcement, together with new details in a late July sentencing announcement regarding an American participant in the scheme, provides new insights into how these schemes work and how companies can protect themselves.

As we discussed earlier this year, fully remote hiring and work, particularly in the technology sector, continues to pose unique business and legal risks for companies. The schemes involve North Korean individuals fraudulently obtaining employment with U.S. companies as remote IT workers using stolen and fake identities, often of U.S. persons. Once employed, the North Korean IT workers receive regular salary payments, and often they gain access to sensitive employer information that may reportedly include export-controlled U.S. military technology and virtual currency.

As one indictment from the District of Massachusetts makes clear, North Korean fraudsters target companies of all size. The indictment alleges that from approximately 2021 until October 2024, defendants and other co-conspirators infiltrated more than 100 U.S. businesses, including many Fortune 500 companies, by compromising the identities of more than 80 U.S. persons and using those stolen identities to secure remote IT jobs. The alleged damages and losses of this scheme alone exceed $3 million. These individuals often secure multiple jobs across numerous companies, using Americans as facilitators. From what the U.S. government has described in various public filings, the U.S.-based enablers run so-called “laptop farms” to make it appear that computers used by the DPRK nationals are logging in from the United States. According to the indictment, between June 10 and June 17, 2025, the FBI executed searches at 21 different places in 14 states hosting known and suspected laptop farms. The FBI ultimately seized approximately 137 laptops that week alone in that one case.

With the real and growing risk of IT remote worker fraud, companies should consider in advance ways to recognize and mitigate this threat. Red flags include inconsistencies in name spelling, nationality, claimed work location, contact details, education history, work history, and social media profiles. Red flags also include an unwillingness to appear on camera or an inability to meet the candidate or remote employee in person. A crucial red flag is a request by new employees to ship their work laptop to an address that is different than the location listed on their hiring materials. Other indicators include multiple logins into one account from various IP addresses in a short period of time, remote desktop sharing software, or work hours that are not regular business hours.

As for potential mitigation strategies, companies should implement training with human resources and onboarding staff regarding common red flags seen in DPRK IT worker resumes and enhance identification verification by requiring multi-document verification and enhancing scrutiny over social media and public records. Companies can require applicants to appear on camera for all interviewing sessions and consider periodic on-camera check-ins once hired. Companies can also insist on only shipping a laptop and other equipment to the location listed on the individual’s application or to a UPS store near them that will require ID verification. Additionally, enhancing remote access network monitoring and maintaining strong cybersecurity practices are good practices for identifying potential remote IT worker fraud.

If a victim company suspects that it has inadvertently hired a DPRK worker, it should consider immediately terminating their access and reporting the matter to law enforcement. We recommend engaging experienced counsel to navigate the scope of the insider threat, evaluate potential liability, and navigate any reporting requirements. Our January 2025 blog post details additional steps that you and your company can take to limit your business risk, including robust vetting and mitigation strategies.