How a Laptop Farm Enabled North Korean IT Workers to Pose as Remote Employees in the US

Introduction

In a case that highlights the evolving threats of digital fraud, two American nationals were sentenced to 18 months in prison for running a scheme known as a laptop farm. This operation allowed North Korean IT workers to fraudulently obtain remote jobs with nearly 70 American companies. By understanding how this scheme worked, businesses and individuals can better protect themselves from similar scams. This guide breaks down the mechanics of a laptop farm operation, following the real-world methods used in the case.

How a Laptop Farm Enabled North Korean IT Workers to Pose as Remote Employees in the US — Source: www.bleepingcomputer.com

What You Need (If You Were a Criminal)

Disclaimer: This information is provided strictly for educational and awareness purposes. Engaging in any of these activities is illegal and carries serious consequences.

Multiple laptops or desktop computers – each configured with a different identity and location.
High-speed internet connection with a static IP address or residential proxy.
VPN service with servers in the United States (to hide the true origin).
Fake or stolen identification documents – including Social Security numbers, driver's licenses, and work histories.
List of targeted US companies – usually tech firms hiring remote IT contractors.
Pre‑paid credit cards or bank accounts in the false name (to receive payments).
Communication tools – email accounts, messaging apps, and collaboration platforms (Slack, Teams, etc.)
Assistance from a US-based accomplice who physically maintains the laptops and handles logistics.

Step-by-Step Guide to the Laptop Farm Scam

Step 1: Set Up the Physical Infrastructure

Establish a secure location in the United States where a bank of laptops or computers is maintained. This location must have reliable power and internet. The operator sets up each computer with a distinct operating system, user profile, and basic software (browsers, office tools, development environments). Each machine is assigned a separate identity so that when a company checks the IP address, it appears to come from a legitimate US home.

Step 2: Create Fake Identities and Resumes

For each laptop, build a complete fake persona. Use stolen or fabricated Social Security numbers, names, addresses, and educational backgrounds. Craft tailored resumes that match the roles targeted – often software developers, engineers, or IT support. Use public job boards and employer websites to find open positions that allow remote work.

Step 3: Apply for Jobs Using the Fake Identities

Submit applications from the corresponding laptop, ensuring the IP address matches the location listed on the resume. Use a VPN on the North Korean side to route traffic through the US laptop farm, so during interviews and background checks, the connection appears to originate from the US machine. Maintain consistent time zones and work hours (US business hours).

Step 4: Handle Telephonic and Video Interviews

During interviews, the North Korean worker speaks with the US employer while the farm operator ensures the call routes through the correct laptop. The operator may monitor the interview to step in if technical issues arise. Use screen sharing to demonstrate skills, but hide any clues about the true location (e.g., disable webcam backgrounds that show Korean text).

Step 5: Manage the Employment Day‑to‑Day

Once hired, the North Korean worker logs into the company’s systems via the laptop farm. The farm’s operator keeps the laptop running and connected 24/7 to avoid interruptions. All communications – emails, code commits, chat messages – pass through the US machine. The worker may use a remote desktop tool to control the laptop, while the operator ensures the machine stays online and secure.

Step 6: Collect Payments and Maintain Secrecy

Payment is sent to a US bank account or pre‑paid card in the fake name. The operator withdraws the money, takes a cut, and transfers the remainder (often via cryptocurrency or wire transfer) to North Korea. To avoid detection, the worker uses encrypted messaging to communicate with the operator, and the operator avoids any public association with North Korea.

Step 7: Expand the Operation

To maximize profit, the farm can scale up by adding more laptops and identities. The case involved nearly 70 companies, meaning multiple workers and machines were active simultaneously. The operator manages logistics, troubleshoots technical issues, and recruits additional accomplices to handle the workload.

Tips for Companies to Detect and Prevent Laptop Farm Scams

Now that you understand how these scams operate, here are actionable tips to protect your organization:

Verify identities thoroughly – Use third‑party background checks that include physical address verification and social security trace.
Monitor device and network behavior – Look for anomalies like logins from multiple IPs in short intervals, or traffic patterns that suggest a VPN being used to hide a secondary hop.
Require video interviews with webcam on and ask candidates to show their physical surroundings – a blank wall or office that matches the stated location.
Use device fingerprinting – Maintain a record of hardware IDs and browser fingerprints; if the same device appears under multiple employees, it's a red flag.
Conduct random check-ins – Occasionally request a real‑time video call during work hours and note the environment.
Implement time‑zone tracking – If an employee's supposed location is US‑based but they consistently respond to messages at odd hours, investigate.
Educate your hiring team about these schemes and create clear protocols for reporting suspicious hiring experiences.

Remember, the best defense is a combination of rigorous hiring processes, ongoing monitoring, and awareness of emerging threats. While the laptop farm case resulted in prison sentences, similar schemes continue to evolve. Stay vigilant.