Pyongyang By Proxy: The Growing Risks Of Remote Work

Faced with a wide range of international sanctions that aim to restrict the country's access to global markets, financial systems, and technology, North Korea has become adept at cyber warfare to bring funds into the country.

Recent prosecutions highlight one of the regime's more recent tactics: so-called “laptop farm”—U.S.-based sites that host computers for overseas workers to make companies believe their remote employees are working within the United States.

Laptop farm schemes have enabled North Korean workers to obtain remote IT jobs at U.S. companies and across the globe. Not only are the salaries paid to these North Korean IT workers largely routed to the North Korean weapons program, but these IT workers also often steal sensitive or valuable company information for use in North Korea or as leverage for ransom demands to U.S. companies.

U.S. companies—especially those that permit remote work—should keep abreast of these developments, design their hiring and compliance regimes to best ensure that they are not inadvertently hiring nefarious employees, and respond appropriately, including by conducting a thorough investigation and making any obligatory disclosures, if they fall victim to a scheme

What Are North Korean Laptop Farms?

The backdrop for these laptop farms is Western economic sanctions on North Korea resulting from its weapons program. These sanctions have largely cut off North Korea from the U.S. financial system, requiring North Korea to find illicit ways to bring funds into the country to support its weapons program. North Korea has a long history of cyberattacks, many of which are believed to be state-sponsored, and target a range of entities, including financial institutions, government organizations, and private companies.

Enter laptop farms. The North Korean government has trained thousands of highly skilled IT workers who, using a mix of virtual private networks, third-country IP addresses, proxy accounts, or falsified or stolen information, obtain employment as IT professionals at companies around the world.

After securing such a job (and, often, more than one), some simply perform IT tasks, sometimes from within China, while the North Korean government takes most of their salaries and uses them for its weapons program. But others also engage in corporate espionage, stealing valuable company information or property. Sometimes they threaten to expose that proprietary information to extract a ransom. See, e.g., Indictment, ECF No. 2, United States v. Hwa et al., No. 24 Cr. 648 (E.D. Mo.). This scheme requires infrastructure, and several recent prosecutions illustrate the ways that the North Koreans have built these schemes.

For example, Oleksandr Didenko, a Ukrainian national, pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft for helping North Korean IT workers “create fraudulent accounts under false identities with online freelance IT job search platforms.” See Indictment, ECF No. 7, United States v. Didenko, No. 24 Cr. 261 (D.D.C.).

He was accused of creating more than 800 false identities, associating those identities with more than 2,600 accounts on job, email, and social media platforms, and selling or renting those identities and accounts to North Koreans through a website he hosted.

The North Korean IT workers were paid to use those identities and accounts to apply for IT jobs in the United States. To obtain the positions, North Korean IT workers have gone so far as to hire actors to appear for the job interviews and create websites for fake companies listed as their prior employers. See, e.g., Indictment, ECF No. 2, United States v. Hwa et al., No. 24 Cr. 648 (E.D. Mo.).

Didenko allegedly used laptop farms to “assist[ed] the overseas IT workers in performing work at U.S. companies under the false identities.” Christina Chapman, an American, pleaded guilty to aggravated identity theft and conspiracy to commit wire fraud and money laundering for hosting one such laptop farm. See Indictment, ECF No. 1, United States v. Chapman, No. 24 Cr. 220 (D.D.C.).

According to the indictment against her, Chapman became involved in the scheme after being approached and asked to be the “U.S. face” of a company helping overseas workers obtain remote IT work in the United States.

She “assisted the [North Korean] IT workers in validating stolen identity information of U.S. citizens so [they] could pose as U.S. citizens” by allowing her debit card to be used to run online background checks to identify identities susceptible to theft. She also helped the North Koreans by forging forms to apply for jobs.

After the North Koreans obtained remote U.S. IT work, Chapman “received and hosted laptops issued by U.S. companies to the [North Korean] IT workers in her U.S. residences…so that the companies believed the workers to be located in the United States” and “logged into the U.S. companies' laptops and assisted the [North Korean] IT workers with connecting remotely, so it appeared that the logins were coming from the United States.”

Finally, she “received paychecks for the overseas IT workers at her home, forged the signatures of the beneficiary on the checks, and deposited them to her U.S. financial institution, thereafter further transferring” that money back to the North Korean IT workers.” The scheme in which Chapman participated “impacted more than 300 U.S. companies, compromised more than 60 identities of U.S. persons,…created false tax liabilities for more than 35 U.S. persons, and resulted in at least $6.8 million of revenue to be generated for the” North Korean IT workers.

Legal Risks for Companies

Laptop farms pose major risks for companies. Chapman's scheme, for example, affected numerous Fortune 500 companies, including “a top-5 national television network and media company, a premier Silicon Valley technology company, an aerospace and defense manufacturer, an iconic American car manufacturer, a high-end retail chain, and one of the most recognizable media and entertainment companies in the world.” Amazon has reportedly blocked nearly 2,000 applications linked to suspected North Koreans.

Sanctions Violations. Perhaps the most pressing legal risk posed by North Korean laptop farms is the potential for inadvertent violations of international sanctions. United States sanctions on North Korea were issued pursuant to the International Emergency Economic Powers Act, and civil violations of that statute are strict-liability offenses, meaning even innocent violations can lead to fines and other penalties. Willful violations of the statute can be criminal offenses.

Data Privacy. Another legal challenge for victim companies is the risk that data a North Korean employee views or pilfers may be subject to data-protection laws, such as the General Data Protection Regulation in the European Union or California Consumer Privacy Act in the U.S. Although many publicly known examples of data taken by these actors have entailed ransom demands, the North Korean regime may also be directing employees to export sensitive data back to North Korea, especially at companies with data that may be significant for national security.

Disclosure Obligations. Public companies, among others, are obligated by SEC regulations to promptly report certain details of cybersecurity incidents if it determines that those incidents are material. To the extent a North Korean employee engages in conduct within a company's system that constitutes such an incident, companies may be required to disclose that fact publicly, which may draw law enforcement scrutiny or burdensome civil litigation. Companies, whether public or private, may also have disclosure obligations under other laws, such as data-privacy statutes that may apply when protected information is disclosed to an unknown third party.

Mitigating Legal Risks

Rigorous Vetting at The Hiring Stage.  The rise in remote work has created fertile ground for laptop farm schemes. Improving methods to detect potential bad actors at the hiring stage is likely to be fruitful for companies when hiring for remote positions.

Companies should consider not only requiring verifiable, government-issued identification at multiple stages of the recruitment process, but also employing trusted third-party services to authenticate identity documents and claimed prior employment or educational credentials.

Although video interviews are becoming significantly less potent due to the rise of generative artificial intelligence, interviewers should pay specific attention for telltale signs of AI use, such as unnatural edges against a background and blurring or flickering.

Asking candidates to do things like wave their hand in front of their face or lean forward or backward in a chair can often trigger AI glitches as well.

Finally, where possible, requiring some degree of in-person verification—such as requiring a new employee to pick up any company-issued laptop in person—will go a long way toward mitigating risk.

Careful Attention to Payee Information. Because of Western sanctions, transferring money into North Korea is a difficult and fraught process. A key element of laptop farm schemes is facilitating that transfer, often by having paychecks issued to a U.S. person who then passes the money along, often through the use of cryptocurrency.

Companies should ensure that paychecks are issued in the name of the employee and, when physical checks are issued, take a second look at where those checks are being sent to identify any suspicious recipients.

Cyberattack Response Plan. Companies should develop and regularly update a cyberattack response plan that includes procedures for detecting, responding to, and recovering from cyber incidents.

This plan should include steps to ensure that the company and its IT department are being monitored for threats and intrusions, protocols for notifying customers and regulators, and procedures to preserve evidence for potential investigations.

Breaches may warrant internal investigations to assess the scope of the intrusion, including what sensitive data bad actors may have accessed; whether the incident triggers any disclosure obligations; and whether the company's hiring and onboarding procedures suffice to prevent similar issues in the future.

Conclusion

Laptop farm schemes are one of the newest frontiers in the United States' conflict with North Korea. With remote work seemingly here to stay, companies should keep in mind the risks that such schemes can pose, including risks of sanctions violations, data breaches, and theft of intellectual property.

By strengthening hiring controls, establishing a robust cybersecurity protocol, scrutinizing payment mechanisms, and responding to potential laptop farm activity with robust investigations and an analysis of potential legal obligations, companies can reduce the likelihood of becoming unwitting participants in these schemes.

This article first appeared in the January 15, 2026, edition of the “New York Law Journal” © 2026 ALM Global Properties, LLC. All rights reserved.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.