The U.S. Justice Department has sentenced two New Jersey residents, Kejia Wang and Zhenxing Wang, for enabling a massive fraudulent employment operation that generated over $5 million for the Democratic People’s Republic of Korea (DPRK).
Kejia Wang received a 108-month prison term, while Zhenxing Wang was sentenced to 92 months in prison. Both defendants were additionally ordered to serve three years of supervised release and forfeit $600,000 paid to them for their illicit facilitation services.
Over a multi-year period, the cyber operation successfully compromised the identities of more than 80 U.S. citizens.
These stolen identities were subsequently weaponized to secure remote IT positions for North Korean operatives at over 100 American companies, including numerous Fortune 500 enterprises.
Technical Execution and Shell Companies
The perpetrators executed the fraud by operating sophisticated “laptop farms” hosted directly within U.S. residences.
This physical infrastructure was designed to deceive corporate employers into believing their newly hired IT staff were domestically located.
To bypass geographic restrictions, the U.S.-based facilitators connected the corporate-issued laptops to hardware devices known as keyboard-video-mouse (KVM) switches.
These specific devices successfully allowed the overseas North Korean IT workers to remotely control the laptops and bypass basic geolocation security checks.
Furthermore, the defendants established fraudulent shell companies, including Hopana Tech LLC and Independent Lab LLC, to legitimize the illicit revenue streams.
These entities possessed no actual operations but effectively laundered millions of dollars from victimized businesses before transferring the funds to overseas co-conspirators.
Beyond standard financial fraud, the threat actors systematically infiltrated sensitive corporate networks, resulting in severe data breaches and unauthorized access to proprietary source code.
One critical incident involved a California-based defense contractor specializing in artificial intelligence-powered equipment. ‘
Between January and April 2024, an overseas co-conspirator remotely accessed the contractor’s systems, exfiltrating technical data strictly controlled under the International Traffic in Arms Regulations (ITAR).
Consequently, victim organizations have incurred damages exceeding $3 million to cover legal fees and extensive computer network remediation costs.
Mitigation and Ongoing Investigations
This enforcement action represents a core component of the DPRK RevGen: Domestic Enabler Initiative, an ongoing joint effort by the Justice Department and the FBI to dismantle North Korea’s malicious cyber revenue streams.
Federal authorities have already seized 17 web domains and 29 financial accounts tied to this specific infrastructure.
Simultaneously, the U.S. Department of State is offering a $5 million reward for information leading to the disruption of eight remaining fugitive co-conspirators who remain at large.
To effectively defend against this specific threat vector, the FBI strongly advises organizations to implement the following technical mitigation strategies:
- Closely monitor network traffic for unexpected remote access protocols.
- Strengthen remote hiring processes using advanced identity verification.
- Restrict and audit endpoint connections to unauthorized KVM switches.
- Promptly report any suspicious IT worker activity or potential fraud to the FBI.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
