According to the first major indictment from the District of Massachusetts, a crew of North Korean IT workers allegedly partnered with co-conspirators in New York, New Jersey, California, and overseas to steal the identities of more than 80 U.S. people, get remote jobs at more than 100 companies—many in the Fortune 500—and steal at least $5 million. According to the second indictment, a four-person team of North Korean IT workers allegedly traveled to the United Arab Emirates where they used stolen identities to pose as remote IT workers, get jobs at American companies for themselves and unnamed co-conspirators, and then systematically steal digital currency to fund North Korea’s nuclear-weapons programs, authorities claimed in the five-count federal charging document. 

The indictments lay out in detail the way the IT worker scheme has leveled up from merely relying on fake and fabricated identities, to a complex web of American-led front companies. The front companies are founded by paid accomplices and make it appear as though the IT workers are affiliated with legitimate U.S. businesses. The front runners conceal the North Korean IT workers behind stolen American identities, and offer them U.S. addresses to take shipment of laptops sent out by companies for remote software jobs. The stolen revenue generated in the fraud scheme is allegedly transferred to North Korean leadership to help fund the authoritarian regime’s weapons of mass destruction and ballistic-missile programs. 

“North Korea remains intent on funding its weapons programs by defrauding U.S. companies and exploiting American victims of identity theft, but the FBI is equally intent on disrupting this massive campaign and bringing its perpetrators to justice,” Assistant Director Roman Rozhavsky of the FBI Counterintelligence Division said in a statement. “North Korean IT workers posing as U.S. citizens fraudulently obtained employment with American businesses so they could funnel hundreds of millions of dollars to North Korea’s authoritarian regime. The FBI will do everything in our power to defend the homeland and protect Americans from being victimized by the North Korean government, and we ask all U.S. companies that employ remote workers to remain vigilant to this sophisticated threat.”

The authoritarian leadership of the Democratic People’s Republic of Korea (DPRK) has deployed thousands of trained IT workers around the world to trick companies into hiring them for remote IT jobs, authorities said Monday. Once hired, the IT workers are tasked with making money and gathering intelligence to aid in cyber heists. Known colloquially as the “North Korean IT worker scheme,” hundreds of Fortune 500 and smaller tech companies have been battling back a tsunami of fake would-be job seekers who are actually trained North Korean IT workers. The UN has estimated the scheme generates between $200 million to $600 million per year, not including the amount of crypto allegedly stolen in heists using intelligence gathered by the North Korean IT workers, which is in the billions. 

According to the indictment, New Jersey man Zhenxing “Danny” Wang founded a software development company called Independent Lab as a front company in the scheme. Through Independent Lab, companies shipped laptops to Wang addressed to what the companies thought were hired IT workers, but in reality were people who had their identities stolen. Wang allegedly hosted the laptops at his home, known as a “laptop farm,” and installed remote-access software so the North Korean workers could access them from overseas locations. Wang also took in money paid as compensation from the U.S. companies and allegedly transferred it to accounts controlled by the overseas conspirators. 

The indictment states multiple defendants and accomplices acted using front companies, including other unnamed conspirators in New York and California, plus an active-duty member of the U.S. military. The accomplices allegedly hosted laptop farms in their homes in exchange for hundreds of thousands of dollars in fees, authorities claimed. The fronts allegedly defrauded at least four major companies, causing each one at least $100,000 in damages and lost wages. One accomplice alleged to be Kejia Wang, allegedly knew the workers were acting on behalf of North Korea. 

In addition to Danny Wang, the government charged eight other defendants and claimed the fraud included a California-based defense contractor, from which an overseas actor allegedly stole sensitive documents related to U.S. military technology. Other companies impacted in the fraud scheme are located in California, Massachusetts, New York, New Jersey, Florida, New Mexico, Georgia, Maryland, North Carolina, Illinois, Ohio, South Carolina, Michigan, Texas, Indiana, Arkansas, Missouri, Tennessee, Minnesota, Rhode Island, Wisconsin, Oregon, Pennsylvania, Washington, Utah, Colorado, and the District of Columbia. 

Michael “Barni” Barnhart, principal risk investigator at security firm DTEX, said the arrests announced this week serve as a reminder that the threats from DPRK IT workers extend beyond just generating revenue. 

“Once inside, they can conduct malicious activity from within trusted networks, posing serious risks to national security and companies worldwide,” Barnhart told Fortune in a statement. “DPRK actors are increasingly utilizing front companies and trusted third parties to slip past traditional hiring safeguards, including observed instances of those in sensitive sectors like government and the defense industrial base.” 

Barnhart suggests the arrests underscore the notion that companies have to look beyond the typical applicant portals and reassess their entire talent pipelines given the way the DPRK IT worker threat has adapted. 

“These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” Assistant Attorney General for the Department’s National Security Division John A. Eisenberg said in a statement. “The Justice Department, along with our law enforcement, private sector, and international partners, will persistently pursue and dismantle these cyber-enabled revenue generation networks.”

The second indictment outlines how the four-man delegation used a mix of stolen identities and aliases to get two North Korean IT workers developer jobs at an Atlanta, Georgia research and development tech firm, and at a separate virtual token company. 

Together, the duo stole crypto valued at nearly $1 million, the U.S. Attorney’s Office for the Northern District of Georgia alleged in an indictment handed down last week. The two IT workers then brought in others to help them allegedly launder the currency so they could disguise its origins before sending the money home to North Korean leadership.

‘It’s not me!!!’

As alleged in the second indictment, the scheme in this case began in October 2019 when four trained North Korean IT workers traveled to the United Arab Emirates using North Korean documents and set themselves up as a team. The crew methodically leveraged stolen identities blended with their own photos to pass muster as legitimate employees and gain access to sensitive information at the companies. The goal, according to the indictment, was to earn enough trust to get access to the virtual currencies the companies controlled so they could transfer them to the DPRK government, led by authoritarian dictator Kim Jong Un. 

Once up and running, in December 2020 defendant Kim Kwang Jim allegedly gave an unnamed company a fake Portuguese ID that included a photo of Kim with the victim’s actual birthdate and government identification number. Kim allegedly used the stolen identity as an alias to get work developing source code at an unnamed U.S. company based in Atlanta. The indictment only names the stolen ID victim as “P.S.” and does not name any company that allegedly hired a North Korean IT worker.

In March 2022, Kim allegedly modified the source code at the company where he had been hired. His changes altered the code for two smart contracts the company owned and controlled that lived on the Ethereum and Polygon blockchains. Kim triggered rule changes dictating when currency could be withdrawn from the company-controlled funding pools.

Then on March 29 and March 30, 2022, Kim allegedly took 4 million Elixir tokens, 229,051 Matic tokens, and 110,846 Start. All told, the virtual currencies were worth about $740,000 at the time of the theft, according to the indictment. Kim allegedly transferred the currency to another currency address he controlled. 

Authorities say Kim offered up a dog-ate-my-homework rationale to the founder to try to explain the currency transfer: “hi bro, really sorry – these weird txs started happening after i refactored my github.”

On March 30, the company founder sent a message on Telegram to Kim accusing him of stealing the virtual currency from the company’s funding pools. Kim, using the Telegram account set up with the P.S. stolen identity, wrote back, “How many times do I need to tell you??? I didn’t do it!!! It’s not me!!!”

‘Bryan Cho’

Another alleged incident outlined in the indictment began in May 2021. Authorities say defendant Jong Pong Ju allegedly used the alias “Bryan Cho” to get a job at another unnamed company to provide IT services. 

After he was hired, Jong allegedly gained access to the company’s virtual currency. Later that year, in October 2021, Jong allegedly used a Telegram account he had created using the “Bryan Cho” alias to recommend to the company founder that “Peter Xiao” would make a great developer. Authorities alleged Peter Xiao was actually another defendant, Chang Nam Il. The founder took Jong’s recommendation and hired “Peter Xiao” to work on front-end development. Chang, working as Peter Xiao, allegedly worked at the company from October 2021 until January 2022. 

In January 2022, the company founder asked for a video to verify the identity of “Bryan Cho”—who was actually Jong, authorities allege—before giving Jong additional access to the company’s crypto assets. On January 25, 2022, Jong allegedly used a Malaysian driver’s license with the Bryan Cho alias to send a video to the founder over Telegram. The founder then allegedly gave Jong additional access. 

The following month, Jong took that access and allegedly stole virtual currency tokens valued at approximately 60 Ether (worth $175,680 at the time) by transferring it to another virtual currency address that Jong controlled. Jong then used the Bryan Cho Telegram account to message the company founder, “I think I accidently (sic) dropped the private key into the .env sample file.” 

The founder then asked where the “.env file” was uploaded, and Jong—as Bryan Cho—told him, “Github.”

“The defendants used fake and stolen personal identities to conceal their North Korean nationality, pose as remote IT workers, and exploit their victims’ trust to steal hundreds of thousands of dollars,” U.S. Attorney Theodore S. Hertzberg said in a statement. “This indictment highlights the unique threat North Korea poses to companies that hire remote IT workers and underscores our resolve to prosecute any actor, in the United States or abroad, who steals from Georgia businesses.”

That wasn’t the end of it. From there, the North Korean IT workers allegedly needed to launder the stolen funds. 

Chang, Jong, Kim, and a fourth defendant Kang Tae Bok allegedly used additional aliases and a virtual currency mixer known as “Tornado Cash” to launder the stolen assets. Tornado Cash is a crypto mixer that essentially blurs the trail of crypto transactions.

Authorities allege Kang used the alias “Wong Shao Onn” to open an account at an unnamed virtual currency exchange using a doctored Malaysian ID with his own photo. Similarly, Chang used a faked Malaysian ID to open an account using the alias “Bong Chee Shen.”

Jong, after he allegedly stole the 60 Ether, sent the currency to Tornado Cash for mixing, the indictment states. Kim allegedly sent his stolen tokens to Tornado Cash also. The mixed funds were then withdrawn into accounts controlled by Kang and Chang, using the Wong and Bong aliases. 

Tornado Cash did not respond to a request for comment. Attempts to reach Wang were unsuccessful.