A U.S. national, along with overseas information technology workers, orchestrated a fraud scheme impacting over 300 U.S. companies and at least three federal agencies, generating at least $6.8 million for foreign individuals and entities, including North Korea, according to unsealed court documents from the U.S. Department of Justice (DOJ). The indictment details that an Arizona woman and her co-conspirators falsified employment verification forms and submitted false wage and benefits information on behalf of IT workers using stolen or borrowed identities from over 60 U.S. individuals. The affected employers, all Fortune 500 companies, were not named in the indictment.
The scheme, which spanned approximately three years starting around October 2020, involved a “laptop farm” operated by the Arizona woman. This setup connected multiple laptops to various company networks, allowing remote operation by IT workers. An arrest warrant was also issued for a Ukrainian national allegedly involved in the conspiracy.
This indictment is linked to a 2023 DOJ operation that seized website domains used by North Korean IT workers to defraud businesses and fund North Korea’s weapons program. Affected companies included a “top-5 national television network and media company,” a “premier Silicon Valley technology company,” and an “iconic American car manufacturer.” Additionally, data was exfiltrated from a multinational restaurant chain and a “classic American clothing brand.” The conspirators also unsuccessfully attempted to gain access to information from two different U.S. government agencies on three occasions.
Fraudulent remote work applications have previously drawn attention from federal law enforcement. The FBI issued a public service announcement in 2022 warning employers about deepfakes and stolen personally identifiable information used to secure remote positions. Data breaches involving job applicants’ information have highlighted the vulnerability of HR and employment data to cybercriminals.