Remote recruitment and facade companies open way to North Korean espionage in large corporations

A sophisticated and sustained scheme over time allowed North Korean technology workers to access networks and payroll from American companies posing as local residents. The United States Department of Justice determined that, between 2021 and October 2024, the operation facilitated the remote recruitment of computer personnel from the Democratic People's Republic of Korea in more than 100 companies, including several from the Fortune 500 list, through stolen identities and facade companies.

According to judicial documents published by the Department of Justice itself, those involved created structures that imitated legitimate companies: fake websites, bank accounts and paper companies with names like Tony WKJ LLC, Hopana Tech LLC or Independent Lab LLC. These facades served to justify billing and payments, and thus channel funds to the North Korean network. The investigation estimates that the operations generated more than $5 million in illicit income for the North Korean regime and caused approximate losses of 3 million for the companies concerned. The judicial records explain in detail how they were impersonated as American citizens, using identities taken from more than 80 real people; official documentation can be found on the DOJ website: judicial documents.

Two American citizens, Kejia Wang and Zhenxing Wang, were charged in June 2025 as part of a coordinated action to dismantle fund-raising operations that benefited the North Korean government. Both pleaded guilty and received prison sentences: Kejia Wang was sentenced to 108 months after admitting his guilt in September 2025, while Zhenxing Wang received 92 months after an agreement in January 2026. The DOJ issued communiqués related to these judgements and the charges in: Kejia Wang's sentence and additional charges.

The modus operandi was not limited to the creation of papers and websites. The investigation reveals that one of the accused came to physically house portable companies in United States homes, allowing remote North Korean workers to connect to corporate systems without activating the typical alerts generated by access from foreign locations. This type of ruse complicates detection and turns legitimate remote jobs into a gateway for espionage and fraud campaigns.

In addition to the two convicted, there are several cases linked to the same fabric that remain fugitives. The State Department and programs such as Rewards for Justice have offered incentives to obtain information about those involved: in this case, it has come to offer up to $5 million for data to identify and arrest suspects, and the notice is publicly available in the reward initiative: Rewards for Justice.

The case is not an isolated event. Since 2023, the FBI and its cyber-security notices have noted the existence of North Korean groups posing as US-resident IT personnel to obtain remote jobs and thus infiltrate corporate networks. The IC3 public warnings (the FBI anti-fraud unit) describe this pattern and recommend general mitigation measures; information can be found in the FBI releases: 2024 notice and notice of 2023.

From a security point of view, the episode brings together several risks where identity fraud, sanctions evasion and persistent access to systems converge. Beyond the direct economic impact, the covert presence of consultants or remote engineers within critical infrastructure exposes sensitive data, intellectual property and - in some sectors - national security-related capabilities. Researchers point out that these campaigns allow a State to act undercover and at a relatively low cost.

For companies operating with distributed equipment, this requires rethinking confidence controls. The practices that have traditionally been used to validate candidates and suppliers may be insufficient against suplanted identities and facade networks designed to circumvent surface verifications. More stringent identity audits, enhanced multifactor verification, strict control of corporate devices and access architectures that minimize privileges can reduce the attack surface. The adoption of safety models based on zero trust and the continuous monitoring of the performance of privileged accounts help to detect anomalies that a simple documentary check would not capture.

The judgements and legal actions against those involved show that the authorities combine criminal tools with international cooperation to cut the financial flows and logistics networks that support these operations. However, the stay of accused persons in unknown locations and the existence of wider networks indicate that the threat will persist as long as there are effective economic incentives and methods to hide the origin of the payments and the real identity of the workers.

The case also raises questions about the governance of remote work and the limits of global recruitment. Offshore talent offers benefits, but requires risk-proportional controls. In an environment where state actors can exploit the digital economy to finance prohibited programs or to undertake espionage activities, the response needs to combine business diligence, technological capabilities and cooperation between governments.

To monitor the evolution of the case and to review the official and reported documents, the notes and files published by the Department of Justice are available in this link to the investigation documents: DOJ - case documents as well as the above-mentioned FBI notices.